Senator John Kerry, Chairman of the Commerce Subcommittee on Communications, Technology and the Internet, today made the case for a Commercial Privacy Bill of Rights at a hearing of the Senate Commerce Committee addressing "The State of Online Consumer Privacy." Senator Kerry is currently working on legislation to protect online and offline commercial privacy.
"I have long thought baseline privacy protections in law were simple common sense," Senator Kerry said. "The status quo cannot stand. We cannot continue to allow the collector's of people's information to dictate the level of privacy protection Americans get when they engage in commerce. And we cannot continue to let firms provide no protections, provide misleading statements of protection that they can change at will, or send the information along to others without care for where it goes or under what conditions."
Senator Kerry's full statement, as prepared for delivery, is below:
Mr. Chairman, thank you for holding this hearing. As you know, modern technology allows private entities to observe the activities and actions of Americans on a scale previously unimaginable. And there is no general law of commerce to govern that surveillance.
I intend to propose one -- a Commercial Privacy Bill of Rights.
The purpose of the legislation I will present is not to discourage information sharing, but to encourage it -- but under a common code of conduct that respects the rights of both the people sharing their information and legitimate organizations collecting and using it on fair terms and conditions.
Every app you or your child adds to a smart phone is an observational opportunity for a private company. Internet users collectively sent 107 trillion, with a T, email messages in 2010. Each of those messages is scanable for key words indicating your interests. Facebook started 2010 with 350 million users and ended it with more than 600 million, almost all of which are sharing information broadly whether they realize it or not. And the collection and use of information offline -- from grocery stores to hotels and airlines -- has also reached a record high, enhancing the data businesses collect online.
On the positive side, all this information sharing is generating immense economic activity and --encouraging all kinds of innovation. But it has also created new opportunities for unethical collectors of information unwilling to abide by fair information practice principles. Why should they? -- some of them ask themselves, because there is no law requiring that they do. And that has understandably generated a lot of anxiety among Americans about protecting their identity and personal information.
People have asked what the problem is that legislation would solve. Well, under current law, there are companies today engaged in the practice of harvesting information from websites and elsewhere and using and selling that information without the consent or notification of the people to whom that information pertains. There are also companies engaged in the practice of using and collecting information that are not building privacy into the design of their services and as a result lack the appropriate procedures and protections to ensure people's information is secured and being treated fairly. Once a person's information is collected, there are no legal restrictions on further distribution other than those the collector chooses to impose on himself. And lastly, Americans cannot today demand that someone who has collected his information cease using it. Each of these activities is a problem that requires our attention
I have long thought baseline privacy protections in law were simple common sense. And over the last six months, I have reached out to our colleagues on both sides of the aisle, to privacy experts at firms, in academia, and in the advocacy community with one goal - to figure out why we have not reached consensus on a national standard for the treatment of people's information and what we can do to establish one.
Interestingly enough, many of the companies that have rejected legislation in the past have made massive investments in privacy protection for their own customers and at their own firms. A fair share of them have Chief Privacy Officers who care deeply about the issue and have spent years thinking about it. These are serious people who believe people's information is deserving of respect and protection - not just because it makes good business sense to protect your customers but because they know doing so is the right thing to do.
The entire goal of the drafting process we are using to write a Commercial Privacy Bill of Rights is to win pro-privacy, pro-innovation experts over to the side of establishing a common code of conduct so that their customers are not just protected when working with them, but generally protected in the course of commerce. I believe that gaining such allies will depend on our willingness to recognize the obvious good that can come from appropriate collection and use of data while also allowing for experimentation and flexibility in the implementation of privacy practices through the establishment of safe harbor programs.
But I assure you that the status quo cannot stand. We cannot continue to allow the collector's of people's information to dictate the level of privacy protection Americans get when they engage in commerce. And we cannot continue to let firms provide no protections, provide misleading statements of protection that they can change at will, or send the information along to others without care for where it goes or under what conditions.
Either we establish clear, flexible rules for behavior in new legislation or our enforcement agencies will have to step up enforcement against unfair and deceptive practices through a process of strong cases built on less clear direction. And if we do not act, the world's largest markets will continue to impose on our innovators their own rules for privacy protection - rules that are less flexible and less innovative than what I will be proposing.