Newly proposed online privacy legislation to protect the collection, use and dissemination of personally identifiable information (PII) has divided the industry -- some say it’s sorely needed, while others counter that it goes too far and will hurt business.
Senators John Kerry (D-Mass.) and John McCain (R-Ariz.) have introduced "The Commercial Privacy Bill of Rights," which would implement the new rules. The legislation would require "collectors of information" to implement security measures to protect the information, as well as provide notice to customers on the collection practices and its purpose. The bill would direct state attorneys general and the Federal Trade Commission (FTC) to enforce its provisions.
Consumer groups have praised the Commercial Privacy Bill of Rights as a step in the right direction for online privacy legislation, but it has divided companies that would be affected by it. Representatives from the Interactive Advertising Bureau (IAB), which recently announced that 2010 full-year Internet ad revenues set a new record, expressed concern that the proposal provides the FTC with too much discretion in drafting and implementing rules.
"We are concerned with the provisions in their proposal that would impose strict new requirements on first-party sites to allow their users to access, correct and delete data collected by that site," said Mike Zaneis, senior vice president and general counsel of the IAB. "These types of first-party restrictions were explicitly rejected by the FTC and are unnecessary to protect consumer privacy, but would severely hurt publishers."
During a press conference announcing the legislation, Kerry quickly pointed out that both he and McCain were careful to produce the Commercial Privacy Bill of Rights with "great sensitivity to the marketplace and the economy." Kerry added that many companies collect data and use it with high ethical standards, and some of the information has value.
"I think the legislation has the proper balance in respecting that there must be some flexibility in how you implement these new privacy standards," Kerry said. "The Commercial Privacy Bill of Rights does that by establishing a voluntary safe harbor program that companies can join so they can design their own privacy procedures" as long as they achieve privacy protections on par with the legislation.
Kerry said the industry already sees need for online privacy legislation, made evident by the implementation of consumer privacy protections, uniform data collection and use practices, and the hiring of chief privacy officers.
Organizations, companies weigh in on Commercial Privacy Bill of Rights
In a statement responding to the proposed legislation, eBay Inc. said the bill strikes the right balance of protecting consumers’ right to privacy while ensuring that the Internet continues its importance to successful businesses. The eBay statement noted that current online privacy laws have left consumers without adequate privacy protections and businesses vulnerable to legal uncertainty as they "navigate the myriad of state and local privacy regulations."
"Trust, by consumers and businesses alike, is crucial to the continued success of the e-commerce marketplace," the eBay statement said. "And without strong federal privacy protections, it is hard to build a strong and lasting foundation of trust."
Linda Woolleyexecutive vice president, Direct Marketing Association's Washington operations
"The challenge now facing all of us is how to address issues related to security and privacy while enabling businesses to continue developing innovative products and services," wrote Microsoft representatives in the statement. "Legislation is an important component of a multi-pronged approach to privacy that also includes industry initiatives, technology tools and consumer education."
The bill also would require notifying individuals of their ability to opt out of the collection of information for the purpose of transferring it to third parties for behavioral advertising. Collectors would also have to provide individuals "either the ability to access and correct their information, or to request cessation of its use and distribution."
During the press conference, McCain said the bill seeks to respect the ability of businesses to advertise, market and to recruit new customers, as well as respect consumers' information. The goal was to "strike a balance" between the goals of consumer advocacy groups and industry regarding PII, McCain said.
"We particularly believe consumers and businesses will benefit by having a framework, as John pointed out, of rules established at the Federal Trade Commission that covers the collection and transfer of personal data," McCain said.
Under the proposed bill, collectors of information would be required to collect only as much information as necessary to process or enforce a transaction or deliver a service. It would "allow for the collection and use of information for research and development to improve the transaction or service," but retain it for only "a reasonable period of time."
Collectors would also be required to bind third parties by contract to ensure that any individual information transferred to the third party would be used or maintained in accordance with the bill’s requirements. The bill requires the collector to attempt to establish and maintain reasonable procedures to ensure that information is accurate.
The Direct Marketing Association (DMA) expressed concern that the legislation would impose untold regulatory compliance costs on businesses without a showing that there is a market failure -- or even a need to regulate.
"DMA is wary of any legislation that upsets the information economy without a showing of actual harm to consumers,” said Linda Woolley, DMA’s executive vice president, Washington operations. “This bill would have wide-ranging effects -- not just on the Internet, but on all of the economy, such as retailers, banks, hotels and mailers."
The Kerry/McCain bill was not the only IT news coming out of Washington this week. In an attempt to rein in exorbitant federal IT costs, Senators Tom Carper (D-Del.), Susan Collins (R-Maine), Joe Lieberman (I-Conn.) and Scott Brown (R-Mass.) introduced the Information Technology Investment Management Act of 2011.
That bill would require agencies to "develop information technology management and development programs to try and stop projects from ever getting off the tracks." The act includes a requirement that if a project deviates 20% or more from its baseline cost estimate, the agency CIO must conduct a review of the investment. Following the review, the agency CIO would have to provide Congress with the results of the review, including the major challenges faced by the project, how they will be fixed and who is accountable for making sure it happens.
Let us know what you think about the story; email Ben Cole, Associate Editor.