Following weeks of anticipation, on April 12, 2011 Senators John Kerry (D-MA) and John McCain (R-AZ) introduced comprehensive bipartisan legislation intended to provide consumers with greater control over the collection and use of personal information accessible through online and offline channels. The Commercial Privacy Bill of Rights Act of 2011 sets forth baseline fair information practice protections for consumers similar to those outlined in the December 2010 Department of Commerce Privacy Green Paper. Such protections would include consumer notice prior to the collection of personal information, and opt-in or opt-out consent mechanisms depending on the type of personal information collected and its intended use. Notably, the bill does not contain a Do Not Track provision, which distinguishes it from FTC staff recommendations and other privacy legislation/proposals.
The bill’s coverage is broad: nearly all online and offline businesses fall within scope. Notably, this includes telecommunications providers, as well as non-profits, and the FTC would be the lead enforcer against such entities for violations, with the ability to levy $16,500 up to $3 Million in civil penalties for violations. Similar state laws would be preempted. The bill does not provide for a private right of action.
By proposing a number of black letter requirements on privacy and data security practices, and setting forth significant monetary penalty provisions for violations, the bill is clearly intended to change the legal status quo in the privacy realm. Click here for a summary of the key proposed changes to privacy and data security requirements set forth in the legislation.