Site   Web

May 10, 2011

Your Site and the Commercial Privacy Bill of Rights Act of 2011

billofrights

On April 12, 2011, Senators John Kerry (D-Mass) and John McCain (R-Ariz) announced proposed legislation that could become the first federal privacy and data security law. If passed into law, The Commercial Privacy Bill of Rights will have a huge impact on how personal information is collected, used, and shared by eCommerce websites. And penalties for failure to comply could be high, very high.

The Way It Was – And Still Is

A little background information is required for perspective.

Prior to 2000, the Internet was essentially like the “wild wild west” in terms of privacy and data security. Essentially, there was no regulation. Generally speaking, except in California, privacy issues were not high on the radar screens of government regulators.

In 2000, California became the first state to have an agency dedicated to promoting and protecting the privacy rights of consumers. In 2003, California passed the California Privacy Protection Act of 2003 (OPPA), which was the first state law in the nation regulating operators of commercial websites on online services to post a privacy policy. OPPA in essence became a de facto federal statute because it applied to any person or company in the United States (and conceivably the world), and no commercial website would want to attempt to screen out California residents from participation in its services or the purchase of its products.

When OPPA became law, there was no federal privacy legislation of general application. The Bush administration essentially wanted to stay out of the way of the commercial development of the Internet.

Despite the lack of a federal statute of general application (which continues to this day), the feds did get involved with online privacy enforcement through the Federal Trade Commission (FTC). Empowered by The Federal Trade Commission Act, the FTC may take legal actions to prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.

Beginning in 2000, the FTC issued a report to Congress outlining four core principles of privacy protection. Since then, the FTC has taken action against companies that fail to comply with their own privacy policies or otherwise misrepresent their information management practices.

So, although the requirement for a privacy policy originated with California’s OPPA, the feds, through the FTC, are empowered to act if a website is deceptive in failing to comply with its privacy policy.

Key Provisions of the Proposed Law

If The Commercial Privacy Bill of Rights Act becomes law, this will change – in a big way. For the first time, we’ll have a federal privacy statute of general application.

So, what’s new with the proposed law? Here are some of the key points:

* Covered entities – any site that collects, uses, transfers, or stores “covered information” about more than 5,000 individuals during any consecutive 12-month period.

* “Covered Information” – personally identifiable information and any unique persistent identifier associated with an individual or networked device that may be used to identify a specific individual.

* Rights to security and accountability – included is “privacy by design” which requires the implementation of a comprehensive privacy program that incorporates privacy practices throughout the product life cycle.

* Rights to transparent notice and individual participation – notice includes clear, concise, and timely notices of privacy practices; opt-out mechanisms for (i) specific uses of covered information, and (ii) use of covered information by third parties for behavioral advertising; opt-in mechanisms for (i) use of covered information for uses other than processing a transaction, and (ii) use or transfer of previously collected covered information if there is a material change in privacy practices that would create a risk of physical harm; access to covered information; and de-identification of covered information when individual service terminates.

* Use of service providers
– covered entities that use service providers are required to enter into a contract with the service provider to treat covered information as private and secure in accordance with the new statute.

* Collection of information – limited to collection of only as much information as is reasonably necessary to process a transaction or request, prevent fraud, investigate a crime or comply with a law, market using the information collected directly, conduct research and development to improve service, or for surveys of website analytics.

* Retention of covered information – retention is authorized only as long as needed to process a transaction or deliver a service, conduct research and development, or comply with the law.

* Distribution of information – transfers of any information to a third party are authorized only if covered entity performs due diligence indicating that the third party is reliable and the third party enters into a contract to use the information consistent with the new statute; combination of the information by the third party with other information is prohibited unless opt-in consent has been given.

* Enforcement – enforcement would be permitted by the FTC and state attorneys general; there would be no private of action.

* Penalties – civil penalties up to $16,500 per day for affected individuals, with a cap of $3 million for violating the security and accountability provisions, and a cap of $3 million for violating the notice and individual participation provisions.

Conclusion

If passed as proposed, The Commercial Privacy Bill of Rights will have a huge impact on covered ecommerce websites. The cost to comply will be substantial. Penalties for non-compliance are potentially devastating.

The proposed law would not only affect a website’s policies for collection, use, and sharing of personal information, but they would also affect the design of websites, the design and structure of customer and prospect databases, and how websites actually function and operate.


Leading SaaS attorney Chip Cooper has automated the process of drafting Website Legal Documents with his Website Legal Forms Generator. Use his free online tool — Website Documents Determinator — to determine which legal documents your website really needs. Discover how quick, easy, and cost-effective it is to draft your website legal forms at www.digicontracts.com/whichdocs/.

6 Responses to “Your Site and the Commercial Privacy Bill of Rights Act of 2011

    More and more complex …

    avatar Tim says:

    It’s a pattern that repeats itself everyday. Corporation perceives competition from small business. Corporations lobby congress to regulate some aspect of the market. The effect of the regulation is to raise costs to the small business. Corporations are grandfathered or otherwise exempt from the regulation. Corporations grow fat – small business struggles even harder. What was that about unfair methods of competition?

    Very scary. It may be time to move all of our sites over to Canadian servers.

    avatar Sharon J says:

    This is very interesting. I always thought it was a good idea that companies posted their privacy policy but did not realize they were setting themselves apart from unscrupulous companies that did the opposite because there was no law. I thought the bad guys did it simply because they were unscrupulous.

    I am not certain how this law will affect the actual design and look of a website though, other than the unseen size and complexity of its database. I would enjoy hearing your ideas on that.

    avatar Kevin says:

    This is definitely something that needs to be addressed, but if I understand it correctly, this law will primarily have an impact on US websites, is that correct? Seems kind of unfair. Also, it will be interesting to see how a website must comply with certain design specifications.

    avatar Spam Ratings says:

    This is great news for online privacy, a start to trying to control the subject area which is currently totally out of control at the company security level.

    There are however lots of was people can protect themselves online. One way to use temporary email addresses. These allow you to select which emails you would like to be delivered into your inbox. It is remarkably easy: http://www.spamratings.com/consumers/the-cleanzer-tour

Submit a Comment

Your email address will not be published. Required fields are marked *






You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Please leave these two fields as-is:

Protected by Invisible Defender. Showed 403 to 4,243,314 bad guys.

css.php