New York Sen. Hillary Clinton has introduced a far-reaching privacy bill that could spell deep trouble for any business that uses so-called personally identifiable information for marketing purposes.
The Privacy Rights and Oversight for Electronic and Commercial Transactions Act of 2006, or the Protect Act, would make companies accountable if any customer data gets “compromised” through “theft, loss, data breach or other malfeasance.”
The bill (S. 3713) includes a private right of action and would hold firms that violate it liable to each affected individual for $1,000, up to a total of 1% of the organization's annual revenue. Companies also would be prohibited from issuing credit or making changes to an account because of identity theft. Violators would be liable to each person whose identity was used fraudulently for $5,000, up to a total of 5% of the firm's yearly revenue.
The Protect Act would extend the Gramm-Leach-Bliley Act by barring financial institutions from disclosing a person's buying history to third parties without that consumer's written or electronic permission.
In addition, the measure would establish a national privacy czar to be appointed by the president; require that notice be made to individual consumers in case of a security breach; and allow people to put an indefinite freeze on their credit information, barring credit bureaus from releasing it for credit purposes without permission.
Among the act's more puzzling aspects is that it would prohibit companies from disclosing personally identifiable information to any branch, affiliate, subcontractor or unaffiliated third party outside the United States unless the organization notifies each individual, gives them all an explanation and offers the opportunity to opt out.
As a result, any company with a redundant data center outside the United States will face unnecessary hurdles if this bill passes, said Tricia Robinson, vice president for marketing and strategy at Premiere Global Services' marketing automation division in Atlanta.
“Say you've got a data center in Toronto, and one in Massachusetts, which is very common,” she said. “If you experience data system failure in your Massachusetts center and you automatically roll over to your Toronto facility, you no longer can send mail from that Toronto location without consumers knowing their data is sitting outside the United States.”
Robinson said she could only speculate why the bill would contain such a provision. She believed it might be intended to make people feel like data concerning them is more secure if it's housed in this country.
“People may think that if their data is here in the United States it's a lot safer than, say, in India,” she said.
Clinton's office did not return a call for comment. The bill is sitting in the Senate Judiciary Committee.
