Recent Activities in Washington Point to Complex Issues for Regulating Privacy


HHR Advisories & Publications

Recent activities out of Washington have again turned the spotlight on the complexity of protecting privacy in an era of targeted advertising and what role, if any, the federal government might take to implement regulations on the collection and use of data related to consumers' digital habits. This week the chair of the House Caucus on Privacy, Rep. Edward Markey of Massachusetts, criticized responses received by the Caucus from several large Web publishers admitting that keeping track of data collection on their sites is technically difficult, if not impossible.  Markey said that while the publishers detail their own privacy policies and opt-out procedures, these are often too complicated for the average consumer to follow.  He also pointed out that a single website may have dozens of firms collecting data through ads on the site and consumers would need to consult the policies of each of those firms to determine precisely what information was being collected and how it was being used.  (We recently wrote about this issue in a previous Digitalhhr post in connection with location-based advertising and Apple's iPhone app policy.)  Markey said that Congress will continue to look into enacting privacy legislation in the future and while he didn't mention any specific proposals, as detailed in our recent CLE Webinar on Privacy in a De-Centralized Digital World, two pending privacy bills have been introduced.  The Boucher-Sterns Bill, proposed in May of this year would require that "covered entities" (defined as any person engaged in interstate commerce that collects or stores data containing covered information or sensitive information) provide individuals with a privacy notice and an opportunity to opt-out before collecting, using or disclosing "covered information" about that individual.  Covered information is defined broadly and includes an individual's first name or initial and last name, a postal address, a telephone number or an email address.  In addition, the bill would also require that covered entities obtain affirmative opt-in consent before: (i) collecting sensitive information such as medical records, sexual orientation and precise geographic location information or (ii) sharing covered information or sensitive information with unaffiliated parties.  A similar bill known as the "BEST PRACTICES Act", proposed two months after the Boucher-Sterns Bill, would permit a limited private right of action, allowing individuals to sue companies that violate the law for up to $1,000 in actual damages, plus punitive damages.  Both privacy bills would grant enforcement power to the FTC and the states but are not expected to pass this year. Meanwhile, the FTC has held a series of public roundtables to discuss proposals for regulating consumer privacy as an increasing number of companies engage in the collection, storage and disclosure of end user data.  The last roundtable was held on March 17, 2010 and the FTC has been largely silent since then as to the findings for its much anticipated revised report on privacy guidelines, which is expected later this year.  That report is intended as the follow-up to the FTC's 2009 Staff Report, titled "Self-Regulatory Principles for Online Behavioral Advertising", which was the subject of a previous Digitalhhr post. However, recent public statements by Maneesha Mithal, the associate director of the FTC Division of Privacy and Identity Protection, suggest that the FTC's new privacy report will include an emphasis on "consumer control".  Mithal hinted that the upcoming FTC report may include findings of an increase in the collection, storage and use of data of which consumers are largely unaware particularly with respect to behavioral advertising and a blurring distinction between personally identifiable information and other types of data.  More importantly, Mithal indicated that the yet-to-be approved report as currently drafted would recommend that all new technologies that involve the collection, storage, processing and/or disclosure of personal information should take into account end user privacy, including privacy reviews, as part of their design.  The draft report also contains a requirement that consumers receive "just in time" notices of collection practices (that is, a notice at the time data is collected), rather than the current practice of incorporating data collection and use provisions as part of a site's terms of use/service and/or privacy policy. "Just in time" notices are required under EU regulations, raising the question of whether requiring such new notice obligations might be a first step taken by the FTC to move towards the stricter and more uniform EU model for data protection and privacy regulation.   In line with its recently stated focus on "consumer control" and in response to a 2007 push by a coalition of privacy groups, the FTC has also been considering improved opt-out mechanisms to online advertising such as a "do not track" list, similar to the National Do Not Call Registry, that would permit consumers to opt out of having their online activities tracked for advertising or marketing purposes.  The FTC's 2009 Staff Report proposed non-binding guidelines for an industry currently subject to self-regulation.  It remains to be seen whether the upcoming FTC report will propose actual regulations or seek guidance from Congress on whether to do so.  We will continue to follow the ongoing developments in this evolving discussion.