Summary of U.S. Privacy Legislation Pending in 2011

Do-Not-Track Online Act of 2011 (Proposed, S-913)

The Do-Not-Track Online Act would apply to any organizations governed by the Federal Trade Commission Act, as well as nonprofits. The bill would take effect on the date of its enactment, and regulations for implementing the program would have to be issued no later than one year after that date.

The Act would require the FTC to issue regulations that: (1) establish standards for mechanisms by which individuals could state their preference for the collection of data about themselves by providers of online services, including mobile applications and services; and (2) require online companies to accommodate the individual’s Do-Not-Track preference.

Exceptions would be allowed for collection and use of information on individuals where (1) it is necessary to provide a service the individual has requested—and provided that the data is rendered anonymous, or is deleted, as soon as the service is provided, or where (2) the individual is given clear notice of the collection and use of such information, and affirmatively consents to it (i.e., opts in).

A violation would be treated as an unfair and deceptive act or practice under Section 18 of the FTC Act. State Attorneys General and other state officials would be authorized to enforce the DNTOA through civil actions brought in federal court, and to seek civil penalties for non-compliance up to $16,000 per day to a maximum total liability of $15,000,000.

Commercial Privacy Bill of Rights Act of 2011 (Proposed, S-799)

The Commercial Privacy Bill of Rights Act would establish every American’s right to have their personally identifiable information (PII) protected during its collection, use, and dissemination.

Collectors of information would be required to: (1) implement security measures to protect the data; (2) clearly notify individuals of their collection practices and purpose; (3) enable individuals to opt-out of any collection not authorized by the Act; (4) obtain affirmative consent (opt-in) for the collection of sensitive PII, and (5) give individuals the ability to access and correct their data, or to request cessation of its use and distribution.

Collection activity for the purpose of transferring data to third parties for behavioral advertising would require robust and clear notice to inform individuals of their ability to opt-out of such program.  Entities would be (1) required to collect only as much data as needed to process a transaction or deliver a service; (2) allowed to use it for research and development to improve the transaction or service; and (3) required to retain it for a reasonable period of time only.

Collectors would be required to bind third parties, by contract, to ensure that any individual information transferred to the third party would only be used in accordance with the Act’s requirements.

State Attorneys General and the Federal Trade Commission (FTC) would enforce the Act, but simultaneous enforcement by both would not be permitted, nor would private rights of action.