In addition, the legislation would require companies to obtain an individual's “opt-in” consent before collecting sensitive information, such as medical records, financial accounts, Social Security numbers, sexual orientations, government-issued identifiers and precise geographic location information. No consent would be required to collect and use operational or transactional data, such as web logs or session cookies, or to use aggregate data or information that has been rendered anonymous.
Organizations would be required under the legislation to discard or make anonymous any data collected after 18 months.
Boucher, chairman of the House Subcommittee on Communications, Technology, and the Internet, said in a statement that the goal behind the proposal is to “encourage greater levels of electronic commerce by providing to internet users the assurance that their experience online will be more secure.”
Gary Kibel, a partner in the technology, digital media and privacy group at New York-based law firm Davis & Gilbert, told SCMagazineUS.com on Wednesday that the proposal is the first attempt at creating a broad privacy law addressing online and offline data collection.
The draft bill has not yet been introduced but is just currently being discussed.
The proposal will undoubtedly garner mixed feelings, Kibel said.
“Those who make their living through online advertising might be scared this bill is going to hamper the development and profitability of that industry,” he said. “Those who come at this from consumer protection focus might believe this doesn't go far enough to give consumers control over how their information is used.”
The legislation has drawn criticism from The Competitive Enterprise Institute, a Washington, D.C. think tank. Members of the group have called the bill “misguided” and said it would actually be detrimental to consumers and stymie the evolution of online commerce.
“It represents a fundamentally flawed approach to online privacy,” Ryan Radia, associate director of technology studies at the organization, told SCMagazineUS.com on Wednesday.
Consumers should understand that the nature of the internet is that information is public unless otherwise specified, he said. The legislation may cause consumers to overlook privacy risks that aren't covered by the bill.
“The way to protect privacy is to be educated about privacy policies and risks,” Radia said. “Consumer awareness won't develop with a standard governing the internet, especially since the internet is far greater than the U.S.”
The draft bill would also mandate that organizations obtain consent when sharing nonoperational or nontransactional data with third parties.
However, the legislation provides an exception to this rule when sharing information with third-party behavioral advertising networks, which collect information about a user's browsing history to serve more relevant ads. Consent would not be required if the third-party ad network provides an easy-to-find link to a web page that allows an individual to edit his or her profile and opt out of data collection.
While much of the discussion of this legislation has centered on the implications for behavioral advertisers, the proposal affects any business that collects data online or offline, Kibel said.
“Because this is so broad, every industry impacted by it needs to examine it and provide input,” Kibel said.
The legislation would mandate that the Federal Trade Commission adopt rules to implement and enforce the measure. In addition, states would be able to enforce the FTC's rules through attorneys general or consumer protection agencies.