Modernizing Authentication — What It Takes to Transform Secure Access
After more than a year of hearings and meetings with a broad array of interested parties, House subcommittee leaders have unveiled draft language of a bill that would set rules for Internet marketers and other Web companies in an effort to protect consumers' online privacy.
The draft bill sets guidelines for online companies to provide consumers with meaningful notice about what information is being collected and how it is being used and shared.
For most types of information, the bill only requires that companies provide consumers the ability to opt out of data collection, reflecting the industry concern that a rigid opt-in regime would sap the amount of information marketers have at their disposal to target ads, which in turn subsidize the bulk of the free content on the Web.
"Online advertising supports much of the commercial content, applications and services that are available on the Internet today without charge, and this legislation will not disrupt this well-established and successful business model. It simply extends to consumers important baseline privacy protections," Rick Boucher (D-Va.), the chairman of the Subcommittee on Communications, Technology and the Internet, said in a statement accompanying the release of the draft language.
Cliff Stearns (R-Fla.), the ranking Republican on the subcommittee, was somewhat less enthusiastic, though he joined Boucher in the release.
"I have been working for years to enact meaningful privacy protection legislation and this draft is advancing the process," Stearns said in the statement. "While I may not support everything in the current draft bill, it is important to get the input of stakeholders. I look forward to working with Chairman Boucher to improve upon his hard work."
Several industry sources involved in meetings discussing provisions of the bill said that Boucher had kept the provisions of the draft legislation close to the vest, noting that Stearns and other Republicans were miffed at being left out of the process.
But perhaps the most aggrieved parties are the outspoken privacy advocates representing consumer groups, many of whom feel that preserving the status quo with no legislation at all would be better than the draft bill released today.
"We're very disappointed with the legislation, which relies on notice and opt-out that has been proven to be so ineffective, that carves out a huge loophole for behavioral advertising," Susan Grant, director of consumer protection at the Consumer Federation of America, told reporters during a conference call.
To be sure, Boucher released the draft as a starting point, and reiterated his commitment to solicit feedback from interested parties before introducing the formal legislation and convening a hearing to consider it.
The privacy groups who staked out their opposition to the bill last met with Boucher in March, and while they commended him for his consideration of the issue, they felt that their suggestions had generally been ignored, and that the draft language circulated today largely reflects the priorities of the industry.
But critics say that's not materially different from the current self-regulatory regime in which consumers need to proactively opt out to avoid having their information collected and used for marketing purposes.
"This is very flawed legislation. It does rely on this failed notice-and-choice regime," said Jeff Chester, executive director of the Center for Digital Democracy. "The industry has really dodged the privacy bullet here."
Perhaps most egregious to the privacy groups are two provisions at the end of the draft bill. One prohibits the right to private action, barring individuals from suing companies for violations of the bill. The other preempts states from passing their own laws governing online data collection, cutting off the prospect of a more aggressive state legislature enacting a tougher bill.
Lots of loopholes
The draft bill outlines six categories that comprise sensitive information, which would be subject to more stringent restrictions and companies would be barred from collecting without "affirmative consent," essentially switching to an opt-in model.
Information relating to users' medical records, race or ethnicity, religious beliefs, sexual orientation, financial records or physical location would be placed in an opt-in model, though the advocacy groups warned that those categories are given only murky definition in the draft bill.
Among the loopholes the groups cautioned against is the exemption from the consent requirements for a "transactional" or "operational" purpose. That is, if a company could justify that collection and use of certain data were necessary to sustain its business operations and provide the services that consumers use -- stipulations broadly defined in the draft language -- it would be exempt from the same consent obligations in the rest of the bill. The transactional and operational exemptions would still prohibit the sale of data obtained without consent, as well as its use for marketing purposes.
It also codifies 18 months as the maximum duration that companies can store information in a behavioral targeting profile before rendering it anonymous, a far cry from the 24-hour cap that privacy advocates have been urging.
"Behavioral targeting companies don't need to be retaining data longer than 24 hours," said Pam Dixon, executive director of the World Privacy Forum.
There are no prohibitions on the collection or use of anonymous data, though critics have warned that anonymity on the Web is at best an amorphous term.
The bill also directs the Federal Trade Commission to set guidelines for safeguards that companies must adopt to protect consumers' information. Additionally, it instructs the FTC to conduct an education campaign to explain the opt-out and opt-in provisions in the bill.
It further calls on the Federal Communications Commission to submit a report enumerating every provision of communications law that pertains to consumer privacy so that the committee can work to harmonize the regulatory landscape. In the meantime, the FTC would have the authority to enforce the provisions in the new data privacy bill. State authorities would also be allowed to seek civil actions against parties that violated the bill, but would have to defer to the FTC and halt the action if the agency intervened.
Chester said the groups would continue to work with lawmakers to refine the bill, building on a letter they sent to House members yesterday calling for tougher provisions than those in the legislation released today. But today's release was a blow to their cause, and failing substantial changes in markup, the federal online privacy bill they have championed for so long might become their next target.
"We might just work to scuttle it," Chester said.