Many website and blog operators will need to modify their privacy policies.
In a previous article, I made the point that due to variations in evolving state laws requiring online privacy policies, the U.S. needs a standard set of requirements at the federal level (see previous post: Are Online Privacy Policies Required by Law? dated 10/25/2010). Without a federal standard, online entrepreneurs were going to have a difficult, if not impossible, time complying with privacy rules.
As the saying goes… be careful what you wish for!
As of this writing (10 months later), 16 online privacy related bills have been introduced in Congress. Some of these bills overlap and will not be signed into law, but all of them, to some degree, deal with *PII management and disclosure practices for certain website and blog operators. So it will be interesting to see what shakes out.
(*PII is an acronym for personally-identifiable information. For more information, see previous post: What is PII?)
16 Privacy Bills Introduced in Congress so Far This Year
Table 1, below, is a list of bills introduced in Congress so far in 2011. It includes links to THOMAS, the database of U.S. Congress legislative information. If you would like to read details of a particular bill, click the bill number in the LINK column and that will take you to a Bill Summary & Status screen. In the table in that screen, click Text of Legislation in the second column, first row.
U.S. Federal Legislation Proposed so far in 2011
affecting Online Privacy Policies
|1||Best Practices Act|
|Do Not Track Me Online Act|
|Financial Information Privacy Act of 2011|
|Commercial Privacy Bill of Rights Act of 2011|
|Consumer Privacy Act of 2011|
|Data Accountability and Trust Act|
|Do Not Track Me Online Act of 2011|
|Data Accountability and Trust Act (DATA) of 2011|
|Do Not Track Kids Act of 2011|
|Electronic Communications Privacy Act Amendments Act of 2011|
|Personal Data Privacy and Security Act of 2011|
|Secure and Fortify Electronic Data Act|
|Geolocation Privacy and Surveillance Act|
|Geolocation Privacy and Surveillance Act|
|Data Security and Breach Notification|
|Location Privacy Protection Act of 2011|
– Table 1 –
Who Will be Affected
Online entrepreneurs with small operations are not targeted by some of these bills based on current language. Ultimately, it depends on what gets negotiated in Congress and signed into law.
Senate bill 1151 (line 11 in the table 1) deals with data brokers, which it defines as:
A business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals for the purposes of providing such information to non-affiliated third parties on an interstate basis.
Sample of What is Coming
If something like Senate bill 799 becomes law, here is what can be expected. Collectors of PII that meet the volume threshold (mentioned above) will be legally required to:
1. Implement security measures to protect the PII they collect and maintain.
2. Provide clear notice regarding the collection practices and purpose of such collection.
3. Provide the ability to opt-in for the collection of sensitive PII. (See previous post for definition of sensitive PII: What is PII? section I, Examples of PII.)
4. Provide the ability for an individual to opt-out of any information collection that is unauthorized by the Act. The Act specifically requires “robust and clear notice” about the ability to opt-out of the collection of information for the purpose of transferring it to third parties for behavioral advertising.
5. Provide access and control to individuals to either access and correct their information, or to request cessation of its use and distribution.
6. Limit data collected – Collect only as much information as necessary to process or enforce a transaction or deliver a service.
7. Limit retention periods – Retain PII for only a reasonable period of time.
8. Bind third parties by to comply with the Act – Collectors must bind third parties by contract to ensure that any individual information transferred to the third party by the collector will only be used or maintained in accordance with the Commercial Bill of Rights Act requirements.
9. Make efforts to ensure PII is accurate The bill requires the collector to attempt to establish and maintain reasonable procedures to ensure that information is accurate.
The Time Has Come
The number and size of PII breaches in recent years is nothing short of unbelievable. In just the past few months alone, the Sony PlayStation Network (PSN) was hacked and over 100 million customer accounts were compromised. Epsilon, the world’s largest permission-based email marketer had a massive breach of customer lists of its major brand clients. And Citigroup recently reported that a cyber attack may have affected over 360,000 of its customers. If you’ve been getting your daily dose of business news, you know the list goes on and on.
While federal standards for PII handling will not eliminate the possibility of PII breaches, a universal set of requirements (for the U.S. at least) makes more sense than having individual states draft inconsistent mandates that only confuse and frustrate online businesses.
What are your thoughts? Is federal oversight of online privacy practices a good thing? Feel free to leave a comment. Your email address and any other PII you may include will be handled securely and never sold, leased, donated, or otherwise shared with any third parties. 🙂