Commercial Privacy Bill of Rights Introduced in Congress

The introduction of the so-called Commercial Privacy Bill of Rights by Senators Kerry and McCain on April 12, 2011 suggests that we may be about to enter an era of robust regulation of information gathering regarding the online browsing and shopping habits of consumers. This type of data has come to be an important tool for online marketers to improve the efficiency of online advertising buys, and to improve other marketing techniques. At a minimum, this development presents a risk that online merchants will need to build out substantial new technical infrastructure to accommodate a welter of new rules under this bill. Beyond that, it may make it difficult even for highly respected and responsible merchants to engage in marketing activities that are an important part of their tool kit in the information age.

Among other things, the bill contains the following requirements:

• Collectors of information must implement security measures to protect the information they collect and maintain.

• Collectors of information must provide clear notice to individuals of the collection practices and the purposes of such collection. Additionally, collectors must provide the ability for an individual to opt out of any information collection that is unauthorized by the Act and to provide affirmative consent (opt-in) for the collection of sensitive personally identifiable information. Respecting companies’ existing relationships with customers and the ability to develop a relationship with a potential customers, the bill would require "robust and clear" notice to an individual of his or her ability to opt-out of the collection of information for the purpose of transferring it to third parties for behavioral advertising. It would also require collectors to provide individuals either the ability to access and correct their information, or to request cessation of its use and distribution.

• Collectors must bind third parties by contract to ensure that any individual information transferred to the third party by the collector will only be used or maintained in accordance with the bill’s requirements. The bill requires the collector to attempt to establish and maintain reasonable procedures to ensure that information is accurate.

These requirements can be expected to have significant operational impacts on direct marketers. The requirement for notice and opt-out rights for a series of practices that are quite technical in nature promises to be easier said than done. Existing privacy laws require only notice of the collection of personal information (much more narrowly defined than in this bill) and only very limited opt-out rights–essentially limited to CAN-SPAM compliance. This new bill would potentially require merchants to allow consumers to opt out of the collection of pixel tags, the placing of cookies, and the sharing of data harvested from those tools with third parties. Simply building the tools necessary to collect and implement those requirements would pose significant burdens and costs for online marketers, and may very well be beyond the abilities of many merchants.

Further, the bill stretches the definition of personal information beyond any commonly understood meaning of that term. It includes email addresses and postal addresses, and if "used, transferred or stored" in connection with any of the foregoing, birth date, and most significantly, "unique identifier information." Unique identifier information is defined as "a unique persistent identifier associated with an individual or a networked device, including a customer number held in a cookie, a user ID, a processor serial number, or a device serial number." This definition essentially means that virtually any data collected about a browsing session will be protected by this statute, with strict limits on the ability to use or transfer that data without approval.

The existence of an "established business relationship" exception to some of the requirements of the bill provides cold comfort. It applies not to the commonly understood relationship of customer and merchant, but only to the "establishment of an account." While this may be typical of some merchants' relationships with their customers, many retailers do not require the establishment of an account in order to make a purchase. It is interesting to note, however, that the 800 pound gorillas in the online space, notably Google and Facebook, would be the most likely to benefit from this exception.

The bill seeks to accomplish these objectives by requiring the FTC to promulgate regulations effectuating the statute's requirements for the most part within 60 to 180 days after enactment of the bill, depending upon the provision at issue. Accordingly, it will likely be a long time before these requirements take effect (if ever), given the Congressional legislative calendar, and the frequently protracted rule-making process that would attend any promulgation of regulations. During both the legislative process and the regulatory process, the direct marketing industry will have an opportunity to point out the technical challenges presented by this statute, as well as the potential unintended consequences, including damage to the economy, that the statute could create.