Breaking Down the Kerry/McCain Privacy Bill
Yesterday, CDT released its top-level analysis of the "Commercial Privacy Bill of Rights Act of 2011," (S. 799) introduced in the Senate by Sens. John Kerry (D-MA) and John McCain (R-AZ). It is the first comprehensive privacy bill introduced in the Senate in over a decade. CDT previously called the bill "a solid foundation" from which to develop a strong privacy protection framework, but this was the first time we drilled down into the bill to identify the things we like about it, and the things we’d like to see revised:
The highlights of what we see as the strengths of the bill:
- Implements the full range of Fair Information Practice Principles for all consumer data
- Lets the FTC develop standards for reasonable notice
- Provides for industry-specific "safe harbor" programs, subject to FTC approval
- Lets the FTC and state Attorneys General enforce the law and get penalties from violators
- Includes a reasonably scoped "Right To Be Forgotten"
On the other hand, there are few things we think should be improved:
- Definition of “first party” should to be narrowed to exclude affiliates and "established business relationships"
- Should provide stronger incentives to companies to join "safe harbor" programs
- Should allow for greater FTC rulemaking to provide clarity and certainty for consumers and businesses
- Should address the collection of data by third parties, not just usage
- All sensitive information should receive stronger application of the Fair Information Practice Principles
- Should not weaken existing prohibitions on retroactive material changes to privacy policies
- Should require companies who collect or use "all or substantially all" of a consumer’s online activity to get opt-in permission for collection and use
- Should provide narrow preemption of state laws only if the final bill provides sufficiently strong protections for consumer data.
CDT believes that the introduction of this bipartisan bill represents an historical opportunity to enact the comprehensive privacy law that American consumers increasingly need in a complex data ecosystem. We look forward to working with the members of the Senate Commerce Committee in this legislation.