Commercial Privacy Bill of Rights Act
This bill’s backers hope to provide comprehensive protection of personally identifiable information for individuals. Their method – requiring transparency, giving individuals the ability to opt-out of collection, as well as creating limitations on what information is collected, how much and how long it can be kept.
This bill focuses on providing individuals notice about the information being collected about them as well as action they can take. It would require companies to provide individuals with the clear ability to opt-out of unauthorized use of their information. For sensitive personally identifiable information, like medical conditions, the Act would force companies to get consent, have people opt-in. Individuals would also be able to access and correct the information or have its use and distribution stopped.
In terms of data collected, companies could only collect the amount of information necessary to provide the requested service and then they must only keep the information as long as they need to in order to do the service.
Who does this bill apply to? Any person who collects, uses, transfers, or stores covered information concerning more than 5,000 individuals during any consecutive 12-month period. This includes common carriers and nonprofits.
What happens if you break these rules? The FTC or States Attorney Generals can pursue you but individuals cannot sue a company for their data practices (no private right of action).
How to comply if the bill becomes law? Under the bill there may be possibilities for participation in a voluntary program run by an FTC approved nongovernmental organization. The benefit of participation would be exemptions from certain parts of the bill. Also, if your business activities already fall under another federal privacy law then that will continue to be the law you should follow. If your company does not participate in a safe harbor program and is not covered by another privacy law, the bill will require your company to have a process in place for responding to individuals concerns and complaints.
A side note – The text makes note of the FTC’s recognition of the difference between first party data collection and what they view as third party collection for behavioral advertising. A third party is defined as not associated with the first party or covered company and does not have an established business relationship with the individual and does not identify itself to the individual at the time of collection of covered information in a clear and conspicuous manner that is visible to the individual.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.