New York Sen. Hillary Clinton has introduced a far-reaching privacy bill that could spell deep trouble for any business that uses so-called personally identifiable information for marketing purposes.
Dubbed the Privacy Rights and Oversight for Electronic Commercial Transactions Act of 2006, or the PROTECT Act, the bill would hold companies liable if any customer data gets “compromised” through “theft, loss, data breach or other malfeasance.”
The bill — S. 3713 — includes a private right of action and would hold companies deemed to have violated it liable to each affected individual for $1,000 up to 1% of the company’s annual revenue.
The bill would also prohibit companies from issuing credit or making changes to an account as a result of identity theft. It would hold violators of that provision liable for $5,000 to each person whose identity was used fraudulently up to 5% of annual revenue.
Clinton’s bill would also extend the Gramm-Leach-Bliley Act by barring financial institutions from disclosing people’s buying histories to third parties without written or electronic permission from the consumer.
The Protect Act would also establish a national privacy czar to be appointed by the president.
Moreover, it would require notice to individual consumers in the event of a security breach and would allow consumers to put an indefinite freeze on their credit information barring credit bureaus from releasing information for credit purposes without their permission.
Among the more puzzling aspects of the bill is that it would bar companies from disclosing personally identifiable information to any branch, affiliate, subcontractor or unaffiliated third party outside the U.S. unless the company notifies each individual and each one is given an explanation and the opportunity to opt out.
As a result, any company with a redundant data center outside the U.S. will face unnecessary hurdles if this bill passes, said Tricia Robinson, vice president of marketing and strategy at Premiere Global Services’ marketing automation division in Atlanta.
“Say you’ve got a data center in Toronto, and one in Massachusetts, which is very common,” she said. “If you experience data system failure in your Massachusetts center and you automatically roll over to your Toronto data center, you can no longer send mail from that Toronto data center without the consumer knowing their data is sitting outside the U.S.”
Robinson said she could only speculate why the bill would contain such a provision, but that maybe it is intended to make people feel like data concerning them is more secure if it is housed in the U.S.
“People may think that if their data is here in the U.S. it is a lot safer than, say, if it’s in India,” she said.
Clinton’s office did not return a call for comment. The bill is sitting in the Senate Judiciary Committee.
