Multiple Legislative Proposals Introduced as Privacy and Data Security Continues to Draw Congress’ Attention
The Obama administration and Congress continue to focus on privacy and data security issues, and there has been a flurry of activity this week on Capitol Hill. The scope of recent regulatory proposals is sufficiently broad that, if enacted, they would impact businesses across a diverse range of industries and sectors. Moreover, the momentum behind new privacy and data security regulations is growing stronger, suggesting that some sort of new regulations will be enacted in 2011. This alert briefly summarizes the recent congressional hearings and legislative proposals regarding mobile privacy and online privacy, and it lays out a roadmap of what to expect the rest of this year.
Push for Privacy and Data Security Regulation Picking up Steam
Though Congress actively worked on privacy and data security issues in the first few months of 2011, there has been a spike in recent days. Four new privacy and data security bills were introduced this week alone. One congressional hearing took place, and another is expected within the next week or two.
Geolocational Issues Emerge as a New Area of Focus
Mobile privacy is one area that has received a lot of recent attention. Congressional action in this realm largely pertains to geolocation tracking on smartphones and other mobile devices. As users access GPS-enabled applications on their mobile devices, they leave a virtual trail of bread crumbs that can be very valuable to companies seeking to capitalize on that consumer information. If Congress passes a law tightening the restrictions on mobile data collection and dissemination, it could dramatically alter the way that businesses operate.
Three bills unveiled during the week of June 13 would severely restrict a business’ ability to collect, store, sell or purchase geolocation information from mobile devices. Sen. Ron Wyden, D-Ore., and Rep. Jason Chaffetz, R-Utah, introduced companion bills, the Geolocation and Privacy Surveillance (GPS) Act (S. 1212/H.R. 2168), that would require companies to obtain a user’s explicit consent before collecting geolocation data. Sens. Al Franken, D-Minn., and Richard Blumenthal, D-Conn., released a bill, the Location Privacy Protection Act of 2011 (S. 1223), that would require any covered entity to offer upfront notice and receive informed consent from users to track their geolocation information. Their definition of a “covered entity” is very broad and would capture a wide swath of businesses that collect, store, sell or purchase mobile data.
Geolocational Bills Latest in Long List of Privacy Proposals
These latest proposals join several privacy bills released earlier in the spring that address both mobile privacy and online privacy. Each of these three proposals includes new regulations regarding online privacy and touches on mobile issues such as limiting a company’s ability to track or sell geolocation information to a third party. Reps. Ed Markey, D-Mass., and Joe Barton, R-Texas, authored a bill in the House, the Do-Not-Track-Kids Act (H.R. 1895), focused primarily on children’s personal information and online activity. Sen. Patrick Leahy, D-Vt., chairman of the Judiciary Committee, offered the Electronic Communications Privacy Act Amendments Act of 2011 (S. 1011), while Sen. Jay Rockefeller, D-W.Va., chairman of the Commerce Committee, offered a comprehensive proposal, the Do-Not-Track Online Act of 2011 (S. 913), that directs the Federal Trade Commission (FTC) to adopt a “do not track online” framework.
The online privacy bills that include mobile privacy components are joined by other bills focused on privacy in general. Sens. John Kerry, D-Mass., and John McCain, R-Ariz., co-sponsored the Commercial Privacy Bill of Rights Act of 2011 (S. 799), and Sen. Leahy introduced the Personal Data Privacy and Security Act (S. 1151). Additional House bills were offered by—
- Rep. Bobby Rush, D-Ill., the BEST PRACTICES Act (H.R. 611)
- Rep. Cliff Stearns, R-Fla., the Consumer Privacy Protection Act of 2011 (H.R. 1528)
- Rep. Jackie Speier, D-Calif., the Do Not Track Me Online Act of 2011 (H.R. 654).
All of the proposals share the same goal of adding new restrictions to the way information is collected and used through the Internet. Provisions in the additional bills include (i) creation of an opt-out or opt-in mechanism that would require Web sites to obtain user consent prior to collecting and storing personal information, (ii) new standards for notifying consumers and the FTC when a data breach occurs, (iii) new limits on the scope and duration of data retention and (iv) limits on data-sharing with third parties.
Data Security and Breach Notification Also Seeing Renewed Attention
In addition to mobile and online privacy, with large-scale online data breaches making headlines, Congress is also setting its sights on data security legislation. Rep. Mary Bono Mack, R-Calif., chairwoman of the Subcommittee on Commerce, Manufacturing and Trade, has played a prominent role in advocating stricter regulations for online data security. In conjunction with her subcommittee’s data breach hearing this week, Rep. Bono Mack released a discussion draft of the SAFE Data Act. The bill would place new responsibilities on companies to report any online data breach to the FTC, and it contains a data minimization proposal that would only allow companies to retain consumer information as needed for “legitimate business purposes.”
This week, Sens. Rockefeller and Mark Pryor, D-Ariz., unveiled a discussion draft of a similar bill, the Data Security and Breach Notification Act of 2011, requiring businesses that store consumer information to enact online security measures and to notify consumers in a timely manner when a data breach occurs. Neither the Data Security and Breach Notification Act of 2011 nor the SAFE Data Act currently have bill numbers as they have not yet been formally introduced.
With so many competing privacy proposals in play, there will be significant maneuvering to create a comprehensive privacy bill that addresses the concerns of privacy and data security advocates. There is bipartisan support in both chambers for new restrictions in the way consumer data is secured, collected, used and shared, making legislative action likely this year.
Meanwhile, the FTC and the Commerce Department have been studying these issues very carefully and remain engaged in the debate. Each has offered preliminary guidance on potential regulations. In the absence of meaningful congressional action this year, it is possible that both entities may attempt to proceed with regulations under their existing authority.
|James R. Tucker
|Jo-Ellyn Sakowitz Klein