Senators John Kerry (D-Mass.), Chairman of the Senate Commerce Subcommittee on Communications, Technology, and the Internet, and John McCain (R-Ariz.), former Chairman of the Senate Commerce Committee today introduced The Commercial Privacy Bill of Rights Act of 2011 that establishes a framework to protect the personal information of all Americans.
"John and I start with a bedrock belief that protecting Americans' personal, private information is vital to making the Information Age everything it should be," said Senator John Kerry. "Americans have a right to decide how their information is collected, used, and distributed and businesses deserve the certainty that comes with clear guidelines. Our bill makes fair information practices the rules of the road, gives Americans the assurance that their personal information is secure, and allows our information driven economy to continue to thrive in today's global market. This is a win for bi-partisanship, a win for consumers, a win for the Internet and a win for businesses online and off. Most importantly, in a Washington where partisanship and division too often triumphs, it's a victory for common sense."
"Consumers want to shop, browse and share information in an environment that is respectful of their personal information. Our legislation sets forth a framework for companies to create such an environment and allows businesses to continue to market and advertise to all consumers, including potential customers," said Senator John McCain. "However, the bill does not allow for the collection and sharing of private data by businesses that have no relationship to the consumer for purposes other than advertising and marketing. It is this practice that American consumers reject as an unreasonable invasion of privacy. This bill would put in place rules to guide the Federal Trade Commission in its ability to ensure the security of personal information while providing businesses more clarity in the Commission's jurisdiction."
The Kerry-McCain Commercial Privacy Bill of Rights Act of 2011 would establish rights to protect every American when it comes to the collection, use, and dissemination of their personally identifiable information (PII).
These privacy rights include:
The right to security and accountability: Collectors of information must implement security measures to protect the information they collect and maintain.
The right to notice, consent, access, and correction of information: Collectors of information must provide clear notice to individuals on the collection practices and the purpose for such collection. Additionally, the collector must provide the ability for an individual to opt-out of any information collection and provide affirmative consent (opt-in) for the collection of sensitive personally identifiable information. Respecting companies existing relationships with customers and the ability to develop a relationship with a potential customers, the bill would require robust and clear notice to an individual of his or her ability to opt-out of the collection of information for the purpose of transferring it to third parties for behavioral advertising. It would also require collectors to provide individuals either the ability to access and correct their information, or the ability to request cessation of its use and distribution.
The right to data minimization, distribution constraints, and data integrity: Collectors of information would be required to collect only as much information as necessary to process or enforce a transaction or deliver a service, but allow for the collection and use of information for research and development, to improve a transaction or service, and require that the information is only retained for a reasonable period of time. Collectors must bind third parties by contract to ensure that any individual information transferred to the third party by the collector will only be used or maintained in accordance with the legislation requirements. The bill requires the collector to attempt to establish and maintain reasonable procedures to ensure that information collected is accurate.
Other key elements of the Kerry-McCain Commercial Privacy Bill of Rights include:
Enforcement: The bill would direct State Attorneys General and the Federal Trade Commission (FTC) to enforce the bill's provisions, but not allow simultaneous enforcement by both a State Attorney General and the FTC. The bill would cap the amount of fines an Attorney General could seek against any one company for a violation. Additionally, the bill would prevent private rights of action.
Voluntary Safe Harbor Programs: The bill allows the FTC to approve nongovernmental organizations to oversee safe harbor programs that would be voluntary for participants to join, but would have to achieve protections as rigorous or more so as those enumerated in the bill. Individuals companies can also enroll on the safe harbor program. The incentive for enrolling in a safe harbor program is that a participant could design or customize procedures for compliance and the ability to be exempt from some requirements of the bill.
Role of Department of Commerce: The Act directs the Department of Commerce to convene stakeholders for the development of applications for safe harbor programs to be submitted to the FTC. It would also have a research component for privacy enhancement as well as improved information sharing.