Senators Propose Data Privacy Law

10 Massive Security Breaches

Senators John Kerry (D-Mass.) and John McCain (R-Ariz.) on Tuesday introduced "The Commercial Privacy Bill of Rights Act of 2011," a bill designed to protect people's personal information.

"Americans have a right to decide how their information is collected, used, and distributed and businesses deserve the certainty that comes with clear guidelines," said Kerry, in a statement. "Our bill makes fair information practices the rules of the road."

"Consumers want to shop, browse, and share information in an environment that is respectful of their personal information," said McCain, in a statement. "Our legislation sets forth a framework for companies to create such an environment and allows businesses to continue to market and advertise to all consumers, including potential customers."

On Tuesday, HP, Microsoft, eBay and Intel issued a joint statement supporting the bill, prior versions of which had been circulating in draft form. "We have long advocated for comprehensive federal privacy legislation, which we believe will support business growth, promote innovation and ensure consumer trust in the use of technology," said the companies, noting that "the complexity of existing privacy regulations makes it difficult for many businesses to comply with the law." They also lauded the bill for being "technology neutral."

The 44-page bill calls for "reasonable procedures" to ensure that personally identifiable and sensitive information is accurate and securely stored. In addition, "the bill would require robust and clear notice to an individual of his or her ability to opt-out of the collection of information for the purpose of transferring it to third parties for behavioral advertising," according to a statement released by the senators. "It would also require collectors to provide individuals either the ability to access and correct their information, or to request cessation of its use and distribution."

The bill defines personally identifiable information as a first name or initial plus last name, postal address, email address, telephone or cell phone number, social security or other government-issued identification number, credit card account number, biometric data, or any unique identifier that could be used to identify a specific person. It also lays out restrictions on collecting sensitive information such as data relating to a person's voice services, precise geographic location, religion, or medical condition.

The bill would authorize the Federal Trade Commission and state attorneys general to enforce the privacy rules--though not at the same time. But it expressly prohibits people from suing organizations that violate the rules.

Pressure for regulating how advertisers store and handle people's personal information has been growing. In December 2010, the FTC released a proposal for a privacy framework, labeling the previous approach--industry self-regulation--as a failure. Among the many options having been proposed is a Do Not Track mechanism in browsers, to enable consumers to opt out of online tracking or behavioral advertising. That particular approach was not discussed in the senators' bill.