House Bill Takes Softball Approach on Privacy
A benign privacy bill, one that would let companies regulate themselves, was introduced in Congress last week by Rep. Cliff Stearns (R-FL).
The Consumer Privacy Protection Act of 2002 would require only that companies post detailed privacy policies and that they allow consumers to opt out of information use with outside companies.
And unlike the online privacy bill introduced last month by Sen. Fritz Hollings (D-SC), individuals would not have the right to sue over violations.
“After holding a series of six hearings, the most comprehensive inquiry in Congress on information privacy, I am pleased to introduce this information privacy legislation with strong bipartisan support,” Stearns said in a statement. “From these hearings, we learned that we must strike a balance in protecting personal information without unduly interfering with the free flow of consumer information that strengthens our economy and benefits the consumer.”
The Stearns bill requires that a company supply a privacy policy on “the first instance of collection from the consumer of personally identifiable information that may be used for a purpose unrelated to the transaction.”
The data collector would have to reveal its own identity, describe outside users (or describe each “class” of outside user) and tell how the data may be used.
The consumer would be able to “preclude any sale or disclosure” of information to non-affiliates. However, firms would be allowed to provide a benefit to the person for permission to use the data.
Companies would be deemed compliant by the Federal Trade Commission (FTC) if they pursued an approved self-regulation program. A compliant firm would be immune to civil penalties for violations unless they were caused by “willful noncompliance.”
The bill calls on the FTC to conduct workshops “to facilitate the development of harmonized, universal wording or logo-based graphics.”
Violations would be deemed unfair or deceptive acts. But total penalties could not exceed for $500,000.
The bill would not supercede other federal privacy laws like the Gramm-Leach Bliley Financial Modernization Act and the Driver’s Privacy Protection Act of 1994, which have harsher measures. But it would preempt state privacy laws.
Personally identifiable information would include name, address, e-mail address, telephone number and social security number.
Stearns makes no mention of “sensitive” data as defined in the Hollings bill. (The term includes medical and financial data, and any indication of religion, political beliefs or sexual preference).
The legislation, which also includes requirements for preventing identity theft, exempts non-profit groups (as long as data is not used for a commercial purpose), and companies with annual revenue under $1 million and/or less than 25 employees. It also would not affect firms that collect or use data on less than 1,000 consumers.
