In recent months, the media has been filled with discussions of privacy issues related to the Internet. Public pressure is forcing the U.S. Congress to deal with these issues. In the first of a series on Internet privacy, we summarize the various bills currently pending in Congress. Existing Privacy Acts
In October 1998 the European Data Privacy Directive went into effect. The directive contained a provision, which prohibited the transfer of data to any country that does not have an adequate level of privacy. For that reason and because the United State's sectoral approach to privacy was considered inadequate by the European Union ("EU"), commentators anticipated the enactment of new legislation to comply with the EU directive.
In the intervening two years, the U.S. Congress has passed only one major privacy bill, the Children's Online Privacy Protection Act ("COPPA"). COPPA requires web sites that target children under the age of thirteen to obtain verifiable parental consent before they gather information from these children. In that same period, the Federal Trade Commission ("FTC") developed the "Safe Harbor," a framework by which U.S. companies may voluntarily comply to a set of privacy principles. The FTC maintains a list of approved companies on its web site(http://www.export.gov/safeharbor), which went operational in November 2000. The Safe Harbor framework was approved by the EU in July of 2000. The Safe Harbor is an important way for U.S. companies to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws. A U.S. company certifying to the Safe Harbor will assure that EU organizations know that the company provides "adequate" privacy protection, as defined by the Directive and data flows to those companies will continue. Additional benefits of appearing on the Safe Harbor list are that EU member state requirements for prior approval of data transfers will either be waived or automatically approved, and claims brought by European citizens against U.S. companies will be heard in the U.S. subject to limited exceptions.
Now that a framework exists allowing U.S. companies to comply with the EU Privacy Directive, one might expect that privacy concerns would diminish. This has not happened. Pressure from privacy groups and fears that privacy concerns may stunt the growth of electronic commerce have resulted in strong bipartisan support in Congress for new privacy legislation.
New Privacy Bills Introduced
In the first weeks of the 107th Congress, seven new privacy bills have been introduced in the House of Representatives, and two in the Senate. A summary of these bills follows.
H.R. 89, Online Privacy Protection Act of 2001
Sponsor: Rep Frelinghuysen, (R-NJ). This bill would require the Federal Trade Commission to prescribe regulations to protect the privacy of personal information collected from and about individuals who are not covered by COPPA on the Internet and to provide greater individual control over the collection and use of that information. Specifically, the bill would require a web site to post the identity of the operator of the site and list what personal information is collected, how the operator uses the information, and what information the operator will share. The bill would require a process that provides an individual with a method to consent or limit the disclosure of personal information. The bill contains a safe harbor provision. The bill would prescribe civil penalties only and is enforceable by the FTC or state government actions, but not by private individuals. Latest Major Action: 1/3/2001 Referred to House committee: House Energy and Commerce.
H.R. 90, Know Your Caller Act
Sponsor: Rep. Frelinghuysen (R-NJ). A bill to amend the Communications Act of 1934 to prohibit telemarketers from interfering with the caller identification service of any person to whom a telephone solicitation is made. Latest Major Action: Referred to House Committee: Committee on Energy and Commerce.
H.R. 91, Social Security On-Line Privacy Protection Act
Sponsor: Rep Frelinghuysen (R-NJ). The bill would regulate the use by interactive computer services of Social Security account numbers and related personally identifiable information. The act provides for civil penalties only and would be enforced by the FTC. Latest Major Action: 1/3/2001 Referred to House committee: House Energy and Commerce.
H.R. 112, Electronic Privacy Protection Act
Sponsor: Rep Holt (D-NJ). The bill would prohibit the making, importation, exportation, distribution, sale, offer for sale, installation, or use of an information collection device without proper labeling or notice and consent. Latest Major Action: 1/3/2001 Referred to House committee: House Energy and Commerce. H.R. 199, Law Enforcement Officers Privacy Protection Act Sponsor: Rep Sweeney, (R-NY). The bill would amend Rule 26 of the Federal Rules of Civil Procedure to provide for the confidentiality of personnel records and personal information of law enforcement officers. Introduced 1/3/2001. Latest Major Action: Referred to House committee: House Judiciary.
H.R. 220, Identity Theft Protection Act of 2001
Rep Paul (R-TX). The bill would amend title II of the Social Security Act and the Internal Revenue Code of 1986 to protect the integrity and confidentiality of Social Security account numbers, to prohibit the establishment in the Federal Government of any uniform national identifying number, and to prohibit Federal agencies from imposing standards for identification of individuals on other agencies or persons. Latest Major Action: 1/3/2001 Referred to House committee: House Ways and Means and House Government Reform.
HR. 237, Consumer Internet Privacy Enhancement Act
Sponsors: Rep Eshoo (D-CA) and Cannon (R-UT). This bill would prevent a commercial web site operator from collecting personally identifiable information from users of the web site unless it first gives notice of what information is collected and how it will be used, and gives the users the opportunity to limit the use of that information. The FTC would be given enforcement authority, but states would be allowed to bring parens patriae actions to enforce it. The bill does not provide for private action. The bill does provide for a 'safe harbor' for web site operators that have complied with self-regulatory guidelines that are issued by seal programs or representatives of the marketing or online industries that are approved by the FTC. This bill only provides for civil penalties. Introduced 1/20/2001 Latest Major Action: 1/20/2001 Referred to House committee: House Committee on Energy and Commerce.
S. 30, Financial Information Privacy Protection Act of 2001
Sponsor: Sen. Sarbanes, (D-MD), co-sponsored by Sens. Dodd, Durbin, Edwards, Harkin, Kerry and Leahy. A bill to strengthen control by consumers over the use and disclosure of their personal financial and health information by financial institutions. The bill would restrict a financial institution from disclosing transactions made by a consumer by check, debit card, credit card, or other similar institution. Additionally, the bill would restrict the transfer of aggregate lists of information containing or derived from individually identifiable health information. Another section of this bill restricts the use of health information in making credit and financial decisions unless (1) the consumer has consented; (2) the consent has not been withdrawn; and (3) the financial institution requires the same health information about all consumers as a condition for receiving the product or service. Unlike other bills, this bill also places limits on re-disclosure and re-use of information by third parties who receive non-pubic personal information from a financial institution. Consumers are to be given access to their personal information and given an opportunity to correct any errors. Enforcement is provided by the FTC and state's may bring parens patriae actions. The bill provides for civil penalties only. Introduced 1/22/2001. Latest Major Action: 1/22/2001 Read twice and referred to the Committee on Banking, Housing, and Urban Affairs.
S 197, The Spyware Control and Privacy Protection Act
Spyware is defined as any software that can transmit information about files a computer user downloads from the Internet. The bill incorporates all four fair information practices of notice, choice, access and security practices. The Act requires that any software that contains spyware must provide consumers with clear and conspicuous notice, at the time the software is installed, that the software contains spyware. The notice must also describe the information that the spyware will collect and indicate to whom it will be transmitted. Another critical provision of the bill requires that software users must first give their affirmative consent before the spyware is enabled, or in other words, software users must "opt-in." Sen. Edwards stated, upon introducing the bill, that "spyware is present in four hundred software programs, including commonly used software such as RealNetworks RealDownload, Netscape/AOL Smart Download, and NetZip Download Demon. Last Action 1/29/01, referred to the Senate Commerce Committee. State Privacy Bills Expected
It is also expected that Sen. John McCain (R-AZ) will reintroduce a privacy bill that would require web sites to disclose how customer data is used as well as giving customers a chance to limit how web sites use it. Another bill expected to be introduced will seek to give end users the ability to opt out from having cookies placed on their computer systems.
A number of states are also expected to consider online privacy bills this year. State legislatures are just beginning to convene, but a total of fourteen bills related to online identity theft, fraud, and children's issues have already been introduced in Arizona, Massachusetts, New Jersey and Missouri. In addition, fifty-three bills dealing with financial privacy have been introduced in twenty-one states, mostly in response to the Gramm-Leach-Bliley Act.
Opposition to State Regulation
However, many privacy groups are now supporting federal regulation as opposed to state regulation. The main reason federal regulation is preferred is consistency. If each state enacts its own laws, a confusing myriad of inconsistent privacy laws is feared. In addition, the enforceability of state law is questionable in light of the commerce clause.
Recently, a group of seventeen organizations, ranging from the American Library Association to the Electronic Privacy Information Center (EPIC) sent letters to President Bush and Congressional leaders proposing a privacy protection framework. The proposal seeks the implementation of so-called "Fair Information Practices" which would require companies to give individuals access to the personal information that is collected by web sites and the ability for individuals to correct erroneous information. The proposal also seeks to limit new surveillance technologies. The groups have also requested the government to create a special privacy commission that would review and address privacy issues as they arise.
Conclusion
It seems likely that the 107th Congress will enact privacy legislation. Sen. Ron Wyden (D-OR) recently stated, "significant privacy legislation is going to be sent to the President of the United States this year. And the debate is not, is it going to be sent to the President, but the debqte is, what is it going to look like." The scope of the legislation is yet to be determined. Thus, this is an area of law that bears close watching.