Commercial Privacy Bill of Rights Act of 2011
Now, you might think that because you only operate a content-driven website or blog and don’t sell products, you do not need to be concerned. Think again. The Commercial Privacy Bill of Rights Act of 2011 includes email address in its list of data elements defined as PII. So, for example, if your site allows visitors to enter an email address to subscribe to a newsletter, you are a collector of PII and this proposed legislation applies to you.
As technology evolves and criminals find new ways to steal PII from companies of all sizes – particularly those with a presence on the internet – regulators, consumer advocates, and internet industry leaders continue to add measures to protect the public interest. A key element of that protection is a clear, comprehensive statement from businesses to customers (and employees) about how PII is collected, used, shared, stored, and disposed of.
1) U.S. Federal Law: The Commercial Privacy Bill of Rights Act of 2011 – This bill empowers the Federal Trade Commission to establish rules that require collectors of PII to provide, among other things, notice to individuals on PII collection practices and the purpose for such collection. Previously, the FTC only recommended this type of notice and took action when companies violated their own policies. Now, explicit notice will be required by federal law. Here is a link to the text of the bill at govtrack.us Commercial Privacy Bill of Rights Act of 2011. (Update: the bill died in committee.)
To be clear, there are numerous bills pending in Congress that address online privacy and full disclosure tends to be a common element. Just take a look at a recap compiled by InsidePrivacy.com. It’s an excellent summary of privacy and data security-related bills proposed at the federal level so far in 2011. In my opinion, however, the Kerry/McCain Commercial Privacy Bill of Rights Act, or something close to it, probably has the best chance to make its way into law. That’s just an opinion, of course. Time will tell. As a service to readers of this blog, I will update this post as significant information becomes available regarding this legislation.
2) State Laws – If forthcoming federal law is not enough impetus for you, some states already have laws on the books mandating online privacy policies. California and Massachusetts are two good examples. They explicitly require PII management procedures to be conspicuously posted on a website if PII is collected. With the federal government now mandating privacy policies, state laws are somewhat moot when it comes to the need to provide notice. However, many states have other very specific, stringent rules that must be followed if PII is collected from their residents. So, unless your site is equipped with software that filters out visitors from these states, it’s prudent to be aware of, and adhere to, those rules. For more information about state requirements check out one of my earlier articles entitled “Are Privacy Policies Required by Law?”
6) Minimize Costs of a Breach – Costs associated with a PII breach can be both tangible and intangible. The tangible category includes court costs, attorney’s fees, regulatory fines, and more. For example, in settling with the FTC, it’s not uncommon for a company to be required to hire an independent, third-party auditor to assess its security program, in some cases for an extended period into the future (click here to go to the FTC website for an example case). Intangible costs include brand damage and a tarnished reputation. Typically, the larger the breach, the higher the costs. By implementing a well defined PII data security plan, businesses can minimize the size of a breach which will keep costs to a minimum.