Rep. Rick Boucher (D-VA) and Rep. Cliff Stearns (R-FL) proposed federal legislation last week that would create a two tier standard of protection of private information, whereby “covered information” would fall under the standard “opt-out” method and “sensitive information” would fall under an “opt-in” method.
The proposed legislation breathes new life into perennial dead on arrival legislation, and potentially offers something the Obama administration can support in fulfilling its promise to close existing gaps in federal privacy legislation.
The phrase "Sensitive Information" includes any information that relates to the individual’s medical records, race or ethnicity, religious beliefs, sexual orientation, financial records or precision geolocation information.
Opponents of the legislation have jumped all over it, claiming that it does not go far enough to protect individuals, especially in the online context. Others cite that European laws remain the gold standard for privacy protection, and that this legislation avoided going that far because of backlash from business.
From the Representatives’ press release, found here, the highlights of the proposed legislation are:
The draft measure would protect individuals’ privacy by requiring the following:
Collection and use of information: As a general rule, companies may collect information about individuals unless an individual affirmatively opts out of that collection. Opt-out consent also applies when a website relies upon services delivered by another party to effectuate a first party transaction, such as the serving of ads on that website.
No consent is required to collect and use operational or transactional data – the routine web logs or session cookies that are necessary for the functioning of the website – or to use aggregate data or data that has been rendered anonymous.
Companies need an individual’s express opt-in consent to knowingly collect sensitive information about an individual, including information that relates to an individual’s medical records, financial accounts, Social Security number, sexual orientation, government-issued identifiers and precise geographic location information.
Disclosure of information to unaffiliated parties: An individual has a reasonable expectation that a company will not share that person’s information with unrelated third parties. If a company wants to share an individual’s personally-identifiable information with unaffiliated third parties other than for an operational or transactional purpose, the individual must grant affirmative permission for that sharing.
Many websites work with third-party advertising networks, which collect information about a person or an IP address from numerous websites, create a profile and target ads based on that profile. As an exception to the general rule requiring opt in consent for third-party information sharing, Opt-out consent would apply to sharing of an individual’s information with a third-party ad network if there is a clear, easy-to-find link to a webpage for the ad network that allows a person to edit his or her profile and, if he chooses, to opt out of having a profile, provided that the ad network does not share the individual’s information with anyone else.
Implementation and enforcement: The Federal Trade Commission would adopt rules to implement and enforce the measure. States may also enforce the FTC’s rules through State attorneys general or State consumer protection agencies.