Lawmakers unveil online privacy legislation

Consumer and privacy groups call the draft bill weak on privacy

Two U.S. lawmakers have released a draft bill that would require companies that collect personal information from customers to disclose how they collect and share that information, but several privacy and consumer groups said the proposal would legalize current privacy violations online.

The draft legislation, released Tuesday by Representatives Rick Boucher, a Virginia Democrat, and Cliff Stearns, a Florida Republican, would apply to information collected online and off. The bill would require companies collecting personal information to allow customers to opt out of the collection, and would require companies to get permission before sharing customers' personal information with third parties.

"Our legislation confers privacy rights on individuals, informing them of the personal information that is collected and shared about them and giving them greater control over the collection, use and sharing of that information," said Boucher, chairman of the House Energy and Commerce Committee's Subcommittee on Communications, Technology, and the Internet, in a statement. "Our goal is to encourage greater levels of electronic commerce by providing to Internet users the assurance that their experience online will be more secure."

But several privacy and consumer groups, including the Consumer Federation of America, the Electronic Frontier Foundation and the Electronic Privacy Information Center, criticized the bill, saying it would codify current online privacy practices that exist more for the benefit of companies than customers.

"No bill would be better than this bill," Evan Hendricks, editor and publisher of the Privacy Times newsletter, said during a press conference.

The bill would put into law a weak privacy practice pervasive online today that allows companies to collect personal data if they give notice and, in some cases, get consent, added John Simpson, director of the Google privacy and accountability project at Consumer Watchdog.

"I can't really say very much good about it," he said. "This bill really adopts a bankrupt notice-and-consent regime that we all know does not work."

The consumer and privacy groups also complained that the bill would prohibit states from passing their own online privacy bills, prevent individual consumers from filing lawsuits against companies that don't protect privacy, and allow companies to keep personal information for up to 18 months.

"Please explain why a marketer would need to keep your information for 18 months," said Michelle De Mooy, senior associate for national priorities with Consumer Action.

Consumer Action praised the lawmakers for taking a first step toward a privacy bill. "But this bill is not the answer," De Mooy added. "Consumers are getting angrier and angrier, and we hear from them all the time about companies hiding under privacy policies to get to their personal information."

Companies would not need opt-in permission to collect operational or transactional data such as Web logs or cookies under the draft bill (PDF). However, companies would also need opt-in consent to collect sensitive information such as medical records, Social Security numbers, information about sexual orientation and precise geographical location.

With the exemption for operational data, companies could collect almost any personal information without stronger safeguards, Simpson said.

The draft bill would require companies collecting personal information to display understandable privacy policies. The bill would exempt online companies from getting opt-in permission to share personal information with third-party advertising networks if there was an easy-to-find link to a personal profile page where customers could change their advertising preferences or opt out.

The draft bill is "thoughtful and a good starting point" for a discussion about online privacy, said Michael Zaneis, vice president for public policy at the Interactive Advertising Bureau (IAB), a trade group representing online advertising networks. He praised the bill for including a provision to launch a federal educate campaign on consumer privacy.

But IAB also has some questions about the proposal, because it appears to expand the definition of personal information to include IP addresses and cookies, and appears to require online companies to get opt-in permission to collect that information when sharing it with third parties, he said. Web sites often pass that data between them, he said.

"We've never regulated cookies and IP addresses and treated them as if they were personally identifiable," he said.

The data collection notice requirements in the draft legislation are also extensive, and some Web publishers may know how third-party sites handle some information, he said. "I'm worried about first-party Web site obligations under the bill," Zaneis said. "We need to make sure that we have appropriate obligations on appropriate parties here."

While the consumer and privacy groups attacked the draft bill as too weak, the Progress and Freedom Foundation (PFF), an antiregulation think tank, complained that the bill could damage the online advertising market and result in less free online content for consumers.

"By mandating a hodge-podge of restrictive regulatory defaults, policymakers could unintentionally devastate the 'free' Internet as we know it," the PFF said in a statement. "Because the digital economy is fueled by advertising and data collection, a 'privacy industrial policy' for the Internet would diminish consumer choice in ad-supported content and services, raise prices, quash digital innovation, and hurt online speech platforms enjoyed by Internet users worldwide."

Lawmakers should first find "specific consumer harm that requires government intervention," the PFF added.

Fears that a strong privacy bill would kill online advertising are overstated, countered Jeffrey Chester, executive director of the Center for Digital Democracy.

"The industry wants to frame this debate in a very narrow, self-serving way, suggesting that if you protect privacy, you will curtail online advertising," he said. "The industry is using this threat that the Internet will go dark, will go bankrupt, if consumer privacy is protected. It's a disingenuous, twisted and fallacious argument."

Join the CSO newsletter!

Error: Please check your email address.

Tags advertisingUSA governmentonline advertisingprivacy

More about ABElectronic Frontier FoundationElectronic Privacy Information CenterGoogleInteractive Advertising Bureau

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place