On April 12, 2011, Senators John Kerry (D-MA) and John McCain (R-AZ) released the Commercial Privacy Bill of Rights Act of 2011. If passed, the bill would implement a comprehensive privacy framework governing the data collection and use practices of most U.S. private companies and non-profits.
Who’s covered
The provisions would apply to any person who collects, uses, transfers, or stores covered information about more than 5,000 individuals during any consecutive 12-month period, and:
• Is subject to the authority of the FTC under Section 5 of the FTC Act;
• Is a common carrier subject to the Communications Act of 1934; or
• Is a non-profit organization, including organizations described in section 501(c) of the Internal Revenue code.
Covered entities would be required to implement security and privacy controls to protect covered information and ensure individuals are given clear notice and choices about how their covered information is collected and used.
What’s covered
“Covered information” is defined to include the following (with some exceptions):
• Personally identifiable information;
• Unique identifier information (defined separately as “a unique persistent identifier associated with an individual or a networked device, including a customer number held in a cookie, a user ID, a processor serial number, or a device serial number);
• Any other information that is collected, used, or stored in connection with personally identifiable information or unique identifier information in a manner that may reasonably be used by the party collecting the information to identify a specific individual.
What’s not included: A requirement for a do-not-track mechanism (as proposed in the FTC Staff Report released last December).
A detailed summary of the bill can be found in our client alert.
The full text of the legislation can be found here.
