When it comes to the Federalist debates, I was always on the side that argued that creating a bill of rights would limit our rights rather than protect them. But, since we don’t live in that world, Congress is working on creating additional bills of rights (maybe this is just a fad). There was the recent Airline Passenger Bill of Rights. Now we’ve moved on to a Privacy Bill of Rights. Thanks goes to John McCain and John Kerry for putting their names behind this one.
The Privacy Bill of Rights would create 3 new rights for online users:
- The Right to Security and Accountability
- The Right to Notice and Individual Participation
- The Right to Data Protection (which includes Data Minimization, Constraints on Distribution of Information, and The right to Data Integrity)
Like many of the current proposals for a Federal data privacy law, there is no private right of action. The bill relies on state Attorney’s General to pursue actions against companies who fall short on their privacy protections. The bill also has the highest per day civil penalties, but only a moderate maximum penalty when compared with the other bills on the table.
The FTC will have to issue rules which translate the Privacy Bill of Rights into something meaningful which businesses can follow. The bill provides for 180 days for the FTC to issue that guidance, but realistically…that process could take years. The FTC Red Flag rules were not implemented for 2 years due to confusion on the part of businesses as to who was covered and how to comply.
The bill requires an opt in for collection of information as well as an opt-out for advertising. This will go a long way to change the de facto PII collection and storage polices of web-based companies.
The 3 rights that I’m calling Data Protection (Data Minimization, Constraints on Distribution of Information, and The right to Data Integrity) are the most interesting part of the bill and set it apart from the rest of the bills out there. For example, the bill will restrict transfers of information to “unreliable third parties”. Presumably this means that spammers or companies who have been repeatedly hacked won’t be able to get personal information. The bill will prevent companies from combining multiple sets of personal information from multiple sources as well, which will put limits on data aggregators.
Finally, there is a data integrity component which requires companies to ensure the information that they collect is accurate. This is a very forward thinking aspect of the bill, and could have very broad reaching implications. This seems similar to requirements placed on the credit bureaus for credit scores.