Data security and consumer privacy are hot-button issues these days. They are gaining momentum and many – including the Obama administration – believe that it is time for a new regulatory framework.
Proposed regulations could have a direct impact on any entity that collects, stores, or shares data on a large scale.
Data brokers, online marketers, advertising agencies and networks, media and publishing companies, mobile application developers, retailers, web browsers and operators, credit reporting agencies, and financial services companies must be intimately aware of the status of these debates so that they can prepare for an almost certain new regulatory framework.
Numerous high-profile incidents have accelerated
legislative discussions for increased regulation.
Everyone from large corporations to government entities have fallen victim to large-scale data breaches, and many mobile devices have been discovered to allow the tracking and recording of a user’s locations.
Sensitive information such as names, dates of birth, Social
Security numbers, e-mail addresses, passwords, locations, and
health and financial related information increasingly seem at risk.
Over a dozen bills have been introduced this year in response to privacy advocates’ clamoring for heightened regulation.
In fact, the FTC and Department of Commerce have published their own recommendations.
THREE TYPES OF PROPOSED PRIVACY LEGISLATION
Generally, the proposals pertain to three specific areas:
- Online and point-of-sale privacy
- Mobile device privacy
- Data security and breach notification
Now is an ideal time for any business entity that may be at risk to critically examine their privacy and data security procedures to ensure compliance with legal and industry best practice standards on both the national and state levels.
The following is intended as a brief overview of pending regulatory proposals in Congress and the federal agencies, the implications of proposed regulations, and what companies should do to comply with the confusing patchwork of privacy regulations currently in place.
Legislative proposals in recent bills on consumer privacy and data security generally pertain to three topics:
- Consumer privacy bills seek to help consumers control what personal information is collected, used, stored, or shared based on their online and point-of-sale behavior.
- Mobile privacy bills seek to help consumers take control of what information is collected, used, stored, or shared based on their mobile device usage and their geolocation.
- Data security and breach notification bills seek to implement new protocols for protecting data and to create a national standard for notifying affected individuals and government agencies when a data breach has occurred.
Six bills have been introduced this year pertaining primarily to online and point-of-sale privacy.
When browsing the Internet or making purchases at a store, consumers reveal valuable, sometimes highly-sensitive, information that is used to construct user profiles based on their location, their preferences, and their contact information.
This data can be very valuable for behavioral marketers, which is the precise reason that the market for such consumer data continues to grow so rapidly.
The purpose of the privacy bills is to change how consumer information is collected, stored, used, and shared, and what and how consumers are informed told about these practices. Bills regarding data collection call for opt-out or opt-in mechanisms that require prior, express consent from the consumer before any personal information can be collected.
Bills contemplating data storage impose new limits on the scope and duration of data retention, as well as new security procedures to safeguard information. Bills regarding data use and sharing impose limits on the purposes for which data may be used, restrict with whom a data collector (e.g., a retailer) can share information, and set new standards for whether consumer consent or notification is necessary before information can be used in certain ways or shared with a third party.
While the themes discussed above generally characterize the current group of legislative proposals, there exist slight differences between each of the privacy-focused bills.
KEY ONLINE PRIVACY BILLS:
- Rep. Jackie Speier (D-Calif.): Do Not Track Me Online Act of 2011. This bill would require opt-out mechanisms for the collection or use of online and personal data;
- Sens. John Kerry (D-Mass.) and John McCain (R-Ariz.): Commercial Privacy Bill of Rights Act of 2011. This bill would require opt-out mechanisms for data use or sharing, as well as opt-in consent for the collection, storage, or sharing of sensitive personal information;
- Rep. Bobby Rush (D-Ill.): BEST PRACTICES Act. This bill is similar to the Kerry-McCain proposal and calls for opt-out mechanisms for data collection and storage, as well as opt-in consent for certain third-party information sharing;
- Rep. Cliff Stearns (R-Fla.): Consumer Privacy Protection Act of 2011. This bill would allow consumers to opt-out of having their personally identifiable information shared with third parties;
- Sen. John D. Rockefeller IV (D-W.Va.): Do-Not-Track Online Act of 2011. This bill would give consumers the ability to opt-out of having their online data tracked and stored. This proposal would go one step further than the other privacy bills by also imposing limits on data collection from mobile devices;
- Reps. Ed Markey (D-Mass.) and Joe Barton (R-Texas): Do-Not-Track-Kids Act. Markey and Barton’s proposal would preclude online companies from using personal information for targeted marketing to children, would enable parents to delete the history of their children’s online behaviors, and would require parental consent for any data tracking online r on mobile devices.
MOBILE DEVICES LEAVE AN ELECTRONIC TRAIL
An entirely separate group of bills focuses their attention on mobile devices. To begin with, users who access GPS-enabled applications on their mobile devices, tablet devices, and smartphones are leaving an electronic trail that can be utilized to reveal both present and past physical locations.
KEY MOBILE PRIVACY BILLS:
Some of the key proposals in this particular area include:
- Sen. Ron Wyden (D-Ore.) and Rep. Jason Chaffetz (R-Utah): Geolocation and Privacy Surveillance (GPS) Act. These bills would prohibit companies from collecting or sharing geolocation information without the user’s express consent;
- Sens. Al Franken (D-Minn.) and Richard Blumenthal (D-Conn.): Location Privacy Protection Act of 2011. This bill would require any covered entity to offer prior notice and obtain express consent from consumers in order to track and collect their geolocation information;
- Sen. Patrick Leahy (D-Vt.): Electronic Communications Privacy Act (ECPA) Amendments Act of 2011. Enacted in 1986, the ECPA restricts third-party access to private electronic communications, such as online activity and e-mails. However, the ECPA does not cover GPS-based information. Therefore, Leahy proposed this update to add geolocation information as a new class of private communications subject to the protections of the ECPA.
DATA SECURITY and BREACH NOTIFICATION:
Key proposals that focus primarily on data security and breach notification have recently been introduced. The purpose of these bills is to require entities that collect or store data to take steps to prevent bad actors from accessing personal information and to create a standard for notifying government agencies and consumers if an organization’s data is breached.
Limits on the scope and duration of data storage are the main focus.
The theory goes – if less data is stored and for a shorter period of time, then less data is necessarily at risk. Proposed security and notification legislation also mandate security policies to prevent unauthorized third-party access to data, as well as procedures and time frames to alert affected individuals and government agencies when a data breach has occurred.
DATA SECURITY and BREACH NOTIFICATION BILLS:
The key bills in this particular area include:
- Sens. Rockefeller and Mark Pryor (D-Ark.): Data Security and Breach Notification Act of 2011. This bill requires businesses and nonprofit organizations that store personal information to implement reasonable security measures and alert consumers when their data has been compromised. In the event of a breach, affected individuals would be entitled to free credit monitoring services for two years;
- Leahy: Personal Data Privacy and Security Act. This bill is similar to bills Leahy has introduced in the past and his proposal calls for businesses to enact security procedures to protect sensitive data. It would create a federal standard for notifying appropriate parties of a breach;
- Bono Mack (R-Calif.): SAFE Data Act. Her proposal requires businesses to notify consumers and the FTC within 48 hours of containing and assessing a breach and would entitle affected individuals to free credit monitoring services for two years;
- Rep. Cliff Stearns (R-Fla.): DATA Act of 2011. Stearns’ data security and breach bill is similar to Rep. Rush’s in its call for tighter protections of data storage systems, in addition to setting a standard for notifying affected individuals and government authorities in the event of a breach.
Of note, California recently amended its data breach notification law and as of January 1, 2012, California businesses are required to provide notice to individuals of the breach of their personal data, and must also notify the state Office of the Attorney General if the breach requires notification of more than 500 California residents.
For the first time, California will also require that notices to individuals include certain information, such as the type of information breached, the time of the breach, and a toll-free telephone number of major credit reporting agencies.
Despite the number of competing legislative proposals, Congress
will almost certainly pass a national standard on these issues soon.
The FTC and the Department of Commerce have issued their own recommendations addressing online and point-of-sale privacy, mobile device privacy, data security, and breach notification.
The aim of the FTC and Department of Commerce plans include limits on what information can be collected, how long it can be stored, simpler and more easily understood privacy policies, do-not-track preferences that follow a user from website to website, increased transparency on the part of data collectors, and requiring companies to build security and privacy measures into products.
Broad sweeping changes in these areas will almost certainly have far reaching practical implications that could reach just about every consumer and business in the country.
Data privacy regulations, as currently proposed in “do-not-track” and geo-location bills, would significantly change operations for entities that purchase consumer information for behavioral marketing purposes. Third-party purchasers would be affected by stricter privacy regulations.
New regulatory standards could change the online advertising landscape. It could significantly impact mobile phones because data privacy and geo-location bills could conceivably curtail data -centric, targeted marketing.
Under many of the proposals, ad networks, retailers, content websites, data brokers, mobile network providers and application developers, and any type of entity that collects and stores personal information would likely be impacted and limited in their ability to collect, store, use, or share consumer information.
If data security and breach notification proposals are adopted, covered entities would be mandated to comply with specific regulatory methods for storing consumer information and responding to breaches.
New data breach and privacy regulations will, undoubtedly, create countless hurdles and landmines in the information trade sector.
In the meantime, the wise thing to do is to evaluate policies in terms of existing law and best practice standards. If businesses do not currently meet regulatory standards, raising the threshold “if and when” will be much more difficult.
Currently, no comprehensive federal privacy law governs
the collection, use, storage, and sharing of consumer information.
Instead, a constantly evolving patchwork of sector-specific and data -specific state and federal privacy laws makes such compliance assessments difficult. Therefore, steps should be taken to minimize data privacy and security risks.
HOW TO MINIMIZE YOUR LEGAL EXPOSURE:
So, what can be done to safeguard sensitive information and minimize exposure? Here are some simple steps regarding the design and implementation of a sound data security plan:
- Implement reasonable written privacy and security policies, immediately.
- Identify risks and implement appropriate technological solutions.
- Assign one individual to oversee privacy and security issues.
- Take stock. Inventory what you have and train workers on privacy and data security matters.
- Scale down and pitch it. Keep only what you legitimately need.
- Lock it - physical security.
- Plan your response to security incidents, ahead of time.
- Consult with an experienced Internet Law Attorney.
PROPOSED INTERNET LEGISLATION:
- Atlantic.com: The Legislation That Could Kill Internet Privacy for Good: The Protecting Children from Internet Pornographers Act of 2011