by Kevin Mills
In my last post, I discussed the recent Federal Trade Commission (“FTC”) report on internet privacy that was released in March 2012 (the “Report”). The Report had two basic themes. First, industry, working with government and consumer groups, should implement best practices for safeguarding consumer’s privacy and, second, Congress should consider enacting targeted legislation to provide greater transparency for and control over the practices of information brokers. In this post, I’m going to examine the legislative aspects of the Report.
The Report calls on Congress to consider enacting baseline privacy legislation. It echoes the Obama Administration’s call, issued earlier this year, for a new law that would serve as a Consumer Privacy Bill of Rights by establishing a basic set of online privacy principles. The Report also calls for a new law that would allow consumers to access and dispute personal and financial data that is collected and sold by data brokers without consumers’ permission.
Consumer groups and privacy advocates were generally pleased with the Report’s recommendations. Internet companies were less pleased. Senator John F. Kerry (Democrat) and Congressman Edward J. Markey (Democrat), advocates of online privacy protection, praised the Report, noting that it endorsed many of the legislative safeguards they have proposed in the past.
In April 2011, Kerry and Republican Senator John McCain co-sponsored the Consumer Privacy Bill of Rights, legislation that would afford consumers the right to opt out of information collection and would require companies to obtain consumers’ consent before gathering sensitive, personally identifiable data. Kerry, who chairs the Senate Subcommittee on Communications, Technology, and the Internet, has expressed frustration that the bipartisan bill has not yet passed, and hopes that the FTC Report will spur his colleagues in Washington to pass the bill.
Markey also issued a similar statement, linking the Report to a House bill that he and Republican Joe Barton of Texas filed last May. The Markey-Barton bill focuses on privacy protections for children under sixteen, aiming to ban targeted advertising directed at children and teens and to create an “eraser button” to enable the deletion of minors’ personal information. The Markey-Barton proposal is meant to strengthen the Children’s Online Privacy Protection Act of 1998 (“COPPA”), which covers only children twelve and younger, and predates many forms of contemporary digital media.
Markey noted that, “As in our legislation, the [Report] appropriately highlights the importance of providing teens with clear information about how their personal data is used, so they can be empowered to exercise control over these uses.” The Report notes that teens are especially vulnerable to targeted advertising due to their use of social media and mobile devices, making it all the more important that legally enforceable privacy protections for this age group are updated.
Personal information is valuable to businesses because it allows them to present relevant advertisements to consumers based on the interests that internet users display online. Companies benefit from an ability to concentrate their marketing resources on promising buyers and, they argue, consumers benefit from a selection of ads that appeal to their tastes. But a study released in March 2012 by the Pew Internet and American Life Project suggested that people find targeted advertising to be more creepy than convenient. More than two-thirds of internet users said they have unfavorable opinions of targeted ads “because they do not like having their online behavior tracked and analyzed.” Only 28% approved of the practice of targeted advertising.
Regulating targeted advertising is at the core of the Report and the legislative efforts of Kerry and Markey. The Kerry-McCain and Markey-Barton bills would give the government a degree of authority that it currently lacks – authority that industry self-regulation cannot achieve alone. The bills would provide the commission rulemaking authority concerning notice, consent, and the transfer of information to third parties.
One interesting aspect to any new legislation will be what the FTC calls its “Global Interoperability.” Reflecting differing legal, policy, and constitutional regimes, privacy frameworks around the world vary considerably. There is a need to promote more consistent and interoperable approaches to protecting consumer privacy internationally. Meaningful protection of data requires an ability of legal regimes to work together and requires enhanced cross-border enforcement. Global Interoperability may be tricky to achieve, however; 107 other countries have their own sets of privacy laws regulating the internet. The EU has comprehensive privacy laws, which have recently been amended and have been made tougher. In Europe, a consumer’s consent has to be real and informed, and the EU Justice Commission has announced new privacy legislation that would impose hefty fines on rule breakers. Clearly, European privacy regulators have a message for America’s tech giants: respect European privacy rules — or else.
Kevin Mills is an owner of the law firm of Kaye & Mills where his practice focuses on advising clients with transactions across a full range of issues in entertainment, media, technology, Internet and general business. His practice encompasses copyright; trademark; trade dress; trade secret; brand protection; content creation, protection and distribution; and general corporate, organizational and business matters.