The quest for comprehensive, federal
privacy legislation has been on many a lawmakers’ wish list for years,
and two House members took the next step this week with the release of draft
legislation that would require opt-in access to sensitive online data, an expectation of privacy regarding
third-party apps, and easily accessible privacy practices.
Consumer groups, however, said the bill does not do enough and
criticized provisions that would prevent stronger state laws or
“Our goal is to encourage greater levels of electronic commerce by
providing to Internet users the assurance that their experience online
will be more secure,” Rep. Rick Boucher, a Virginia Democrat and
chairman of the House Subcommittee on Communications, Technology, and the Internet, said
in a statement. “That greater sense of privacy protection will be
particularly important in encouraging the trend toward the cloud computing.”
Boucher said the bill will not disrupt the online advertising
industry, but “simply extends to consumers important baseline privacy
Boucher unveiled the legislation with Rep. Cliff Stearns, a Florida
Republican and ranking member of the subcommittee. At this point, it is
just a draft, is being circulated for comment, and has not been
formally introduced in Congress.
“I have been working for years to enact meaningful privacy protection
legislation and this draft is advancing the process,” Stearns said.
“While I may not support everything in the current draft bill, it is
important to get the input of stakeholders. I look forward to working
with Chairman Boucher to improve upon his hard work.”
Specifically, the bill would require a company that collects
personally identifiable information to display an understandable
The bill also says that companies can collect information about
individuals unless they opt-out of those services. Consent would not be
required to collect operational or transactional data like Web logs or
cookies, or to aggregate anonymous Web data. Information that is
collected would have to be anonymized or deleted within 18 months.
Express consent would be required for private information like
medical records, financial accounts, Social Security number, sexual
orientation, government-issued identifiers and precise geographic
location information. Consent would also be required for a company to
share non-operational or non-transactional data with third parties.
As it relates to behavioral advertising – or serving up more relevant
ads based on Web history – a third-party ad network would need to
provide opt-out options via a “clear, easy-to-find link to a webpage for
the ad network that allows a person to edit his or her profile and, if
he chooses, to opt out of having a profile, provided that the ad
network does not share the individual’s information with anyone else.”
The Federal Trade Commission would be required to enforce the bill,
so they could hand down penalties or file suit against a company that
violated the rules. State attorneys general and consumer protection
agencies would also be able to enforce it. It would go into effect one
year after it is signed into law.
In a statement, Facebook said it applauded Boucher for “engaging in a
thoughtful, deliberative process by releasing a discussion draft prior
to introducing legislation.”
“As public attitudes towards sharing and control over information
evolve and become more diverse, Rep. Boucher has taken an important
step in what promises to be a productive and vigorous public dialogue
about privacy in the Internet age,” Facebook spokesman Andrew Noyes
said in an e-mail. “We look forward to being part of the discussion.”
Google and Microsoft had a similar view.
“We believe strong, consensus protections for data privacy are vital to support both the
interests of our users and future innovation,” a Google spokesman said.
“We are reviewing the draft legislation now and look forward to
working with Congress on this important issue.”
“Microsoft has long advocated for a comprehensive federal privacy
bill,” Microsoft spokeswoman Christina Pearson said in an e-mail. “We
look forward to working with Chairman Boucher, Rep. Stearns and the
House and Senate on this important effort to ensure consumer privacy is
A Yahoo spokeswoman said that Boucher and Stearns took “an important
step” with their bill.
“While there certainly remain some fundamental issues to be worked
out to make sure that this legislation protects the extraordinary
breadth of free services for consumers made possible by online
advertising, Yahoo commends the hard work that Representatives Boucher
and Stearns have done thus far and we are grateful that they have stated
they are not looking to disrupt this business model with their
legislation,” she said in a statement. “We look forward to continuing to
work constructively with the sponsors of this legislation and others
in Congress as they debate this complex but important issue.”
Specifically, they were concerned that the bill would pre-empt
current state, online privacy bills and ban a private right of action –
or individual lawsuits. The groups also did not think the “opt-out”
provisions of the bill went far enough to protect consumer rights, and
were concerned that companies could keep data for 18 months.
“Please explain to me why a marketer would need your information for
18 months?” asked Michelle DeMooy, senior associate for national
priorities at Consumer Action.
“This bill really adopts and endorses an archaic … notice and consent
regime that we know does not work,” said John Simpson from Consumer
Simpson said Internet companies will likely be thrilled by the bill.
“I can’t imagine that the industry would be happier if they’d written
a bill themselves,’ he said. “This basically gives them absolutely
everything they want with no meaningful protection for consumers
whatsoever. To describe it as industry-friendly is an understatement.”
“What we need is better default rules of the road for how privacy
occurs on the Internet [so] you don’t have to worry about opting-out,”
said Peter Eckersley, senior staff technologist at the Electronic
Frontier Foundation (EFF).
“One of the biggest concerns that we have with the current regime is
that when opt-outs are present, they’re frequently kind of dummy
opt-outs,” Eckersley continued. “What you’re opting out of is not the
collection of information about you, but rather the targeting of
advertising to you based on the information that was previously
collected. You have no option of being surveilled, you can only opt out
of being marketed to.”
Ginger McCall, staff counsel with the Electronic Privacy Information
Center (EPIC), said that the opt-out requirements “simply maintains the
status quo” while the state pre-emption clause denies the states a
more innovative solution to combating violations.
Evan Hendricks, editor and publisher of Privacy Times, did not mince
“No bill would be better than this bill,” he said. “This is a
non-starter. I don’t feel compelled [to thank Boucher for his efforts],
but I will thank him if he realizes that this thing should be buried.”
Other groups that voiced their concern on the call included the World
Privacy Forum, the Consumer Federation of America, the Privacy Rights
Clearinghouse, and the Center for Digital Democracy.
Editor’s Note: This story was updated on
Wednesday with comment from Yahoo.