WASHINGTON, D.C. (Reuters) – Senators John Kerry and John McCain introduced a tough new privacy bill on Tuesday that would require companies to notify consumers in clear language when their data is being collected, and oblige them to keep that information safe from hackers.
There are increasing concerns about the security of consumers' personal data that companies collect. Millions of people face heightened risk of email swindles after a massive security breach suffered by Epsilon, an online marketing firm that handles email marketing lists for hundreds of clients.
The bill would apply to hundreds of companies from search engine giant Google Inc to telephone companies like AT&T Inc to cable companies like Verizon Communications and Comcast Corp.
The bill, if it becomes law, would require companies to tell consumers why data was being collected, whom it would be shared with and how it would be safeguarded.
Companies collecting data must also allow consumers to opt out of some data collection, and they must agree, or opt in, to collection of sensitive data like medical conditions.
The bill would also press businesses to collect only the information needed for any particular transaction.
Kerry, a Democrat from Massachusetts, said the measure had support from some big technology companies.
"These companies agree with us that it doesn't just make good business sense to protect their customer; they know it's the right thing to do," he told a news conference.
McCain, an Arizona Republican, noted that many websites — like most search engines — are free precisely because they are supported by advertising.
"Our bill seeks to respect the ability of businesses to advertise while also protecting consumers' personal information," said McCain.
The Obama administration said it was undecided on the bill.
Attorneys general would be limited to seeking a $3 million penalty for violating security and transparency rules. The FTC may levy civil penalties of $16,000 per violation per day.
DISAPPOINTMENT ALL AROUND
The bill seeks to protect data that is unique to a person, like their name, physical address, email address, telephone number, Social Security number and credit card numbers.
Enforcing the bill would fall to the Federal Trade Commission and to state attorneys general, with the FTC taking the lead.
California lawmakers are considering a "do not track" bill, which the Kerry/McCain measure would pre-empt.
This was not a concern, said a congressional staffer who argued that it was impossible to have state-by-state regulation of data collection.
"At the end of the day, this is interstate commerce," the staffer said.
The bill was a disappointment to the Direct Marketing Association, which argued that it risked damaging the Internet at a time when it was a vibrant spot in the U.S. economy. In 2010, companies spent more than $25.4 billion on digital advertising, which generated $503.6 billion in sales, DMA said.
"DMA is wary of any legislation that upsets the information economy without a showing of actual harm to consumers," said Linda Woolley, a DMA executive vice president.
It was also a disappointment to a coalition of consumer groups and privacy advocates, which welcomed the bill but called for it to be "significantly strengthened."
"I don't think this is going to affect online marketing at all," said Jeff Chester, director of the Center for Digital Democracy privacy group.
John Simpson, of Consumer Watchdog, agreed. "We cannot support it today," he said.
(Reporting by Diane Bartz, editing by Gerald E. McCormick and Matthew Lewis)