A Look at the Commercial Privacy Bill of Rights Act of 2011

[Post by Venkat Balasubramani]

The Commercial Privacy Bill of Rights Act of 2011

Senators McCain and Kerry recently introduced the Commercial Privacy Bill of Rights Act of 2011. It will probably go through various iterations before being enacted, and its prospects are far from certain, but I thought would summarize what jumped out at me when I first read it.

Who does it apply to? It applies to anyone who “collects, uses, transfers or stores” information concerning more than 5,000 individuals in a 12 month period and who is subject to the authority of the Federal Trade Commission (or is a common carrier or a non-profit). However, it does not apply to government agencies. (See “Privacy ‘bill of rights’ exempts government agencies.”)

Who gets to enforce it? The FTC and state attorneys general. The Bill does expressly state that it “may not be construed to provide any private right of action.” A separate provisions says that other than as authorized under the Bill, no one can use the provisions of the Bill as a basis for state law claims. There are provisions which touch on customer rights, but end users cannot bring an action to enforce the provisions of the Bill.

What is the effect on state laws? The Bill would preempt state laws to the extent those laws relate to the collection, use, or disclosure of covered information, personally identifiable information, or personal identification information. The short title contains a nod to avoiding a “patchwork of inconsistent standards and protections.” The Bill’s preemption clause carves out (1) state laws addressing “health or financial information,” (2) state data breach notification laws, and (3) state laws which relate to “fraud.” If enacted, it looks like the states are going to have to take a back seat to this Bill and are going to have a tough time enacting online privacy statutes.

What information is covered? The Bill defines “Personally identifiable information,” as (1) the first and last name of an individual; (2) postal (residential) address; (3) email address; (4) telephone number or mobile number; (5) social security number; (6) credit card number; (7) “unique identifier information that alone can be used to identify a specific individual“; or (8) “biometric data,” including fingerprints and retina scans. [emphasis added]

The definition of PII also covers any of the following if stored or used along with (1) through (8) above: (1) date of birth; (2) birth certificate number; (3) place of birth; (4) unique identifier information “that alone cannot be used to identify a specific individual;” (5) “precise geographic location,” excluding general geographic information that can be derived from an IP address; (6) information about an individual’s use of “voice services, regardless of technology used;” and (7) a catch-all.

The Bill also contains a third category of information which it calls “sensitive” PII, which includes medical/health information and the “religious affiliation” of an individual.

The Bill excludes PII that is obtained from public records and “that is not merged with covered information.” Information that is voluntarily shared (without restriction) and that is widely and publicly available is also excluded.

What is “unauthorized use”? Unauthorized use is broadly defined as use of “covered information . . . for any purpose not authorized by the individual.” The definition contains a list of exceptions to deal with things like transaction processing, fraud prevention, and compliance with subpoenas. One of the exceptions deals with online advertising, and provides that use for marketing or advertising (from a covered entity in the context of the entity’s own website, services, or products) is not unauthorized if the information is (1) used by the entity which collects the information or (2) used by a third party “at the affirmative request of the individual” or where the affected individual has “an established business relationship” with the individual. There’s also a catch-all provision which states that the exclusions apply only where the use is “reasonable and consistent with the practices described in the notice” pursuant to which the information was collected.

The Bill directs the FTC to enact rules which will require any covered entity to offer a “clear and conspicuous” opt-out for any unauthorized use of PII, and specifically to offer “robust, clear, and conspicuous mechanism” for use of information by third parties for “behavioral advertising or marketing,” and “clear and conspicuous” opt-in consent for the treatment of sensitive PII and the use or transfer to a third party of previously collected PII (if there is a material change in the entity’s practices and the use or transfer creates a “risk of economic or physical harm”).

Does the Bill allow users to force entities to correct their information? The FTC is directed to implement rules which would also require covered entities to allow users can access their information and a mechanism to “correct such information to improve the accuracy of such information.” Finally, the FTC rules would address transfers in the event of a bankruptcy. The Bill also addresses security standards.


This is a meaty piece of legislation that will easily fatigue anyone who tries to digest it in one sitting. Whether or not it accomplishes anything in terms of user privacy, it will certainly keep many lawyers gainfully employed.

One of the big questions is how any privacy legislation will affect the online advertising market. How does it affect the use of cookies, which allow sites or advertising networks to collect information which is used for targeting? The rules which the FTC is directed to enact would:

offer individuals a robust, clear, and conspicuous mechanism for opt-out consent for the use by third parties of the individuals’ covered information for behavioral advertising or marketing.

The National Advertising Initiative (which many advertising networks are a part of) offers an opt-out, and one question is whether this (or a similar) opt-out would suffice. There was speculation about a “do-not-track” list but “do-not-track” did not make it into the bill. It was unclear to me as to whether if someone exercised their opt-out right, a site or company in question (the third party) would have to stop using the person’s data, or whether the opt-out would be passed up the chain (i.e., to an ad network).

Interestingly, the Bill only covers “personally identifiable information” (and sensitive PII). “Unique identifier information” is defined as information that “alone can be used to identify a specific individual.” The definition of “covered information” in turn references PII and “unique identifier information,” and information that is collected with either of these. This means that at least some tracking will not even be covered by the opt-out rules. Retailers, for example, who use cookies to track your browsing look like they may be covered (and would be entitled to the business relationship exception anyway, to the extent they collect personally identifiable information along with information used for tracking purposes), but sites that you don’t register or provide your identifying information to are not necessarily using any “covered information” when they target advertising using cookies. (The practice of anonymization – stripping information of any personal attributes and then using it for targeting purposes – looks like it may be OK under the Bill as well.)

The Facebook exception is something that is worth flagging. Facebook reportedly sent an army of lawyers and lobbyists to the hill to fight for the “established business relationship” exception. The fight was successful, and the result is significant. The Bill defines established business relationship as any time an end user has “established an account” with an entity for the receipt of products or services “offered by the covered entity.” The definition is somewhat clunky, but the consequence of this is that Facebook (or Twitter, Google, etc.) would not be considered a “third party” with respect to a website, if the user in question has an account with Facebook. So CNN.com (for example) and Facebook can freely use PII to target advertising, and Facebook would not be considered a third party. If I’m reading this right, this could be a huge boon for the likes of Facebook and Twitter, and a killer for ad networks. (The regulations which require covered entities to offer individuals an opt-out for behavioral advertising only apply to use by “third parties,” and entities which have “established business relationships” are not considered third parties.)

I’m curious about how the Bill would affect off-line (paper) direct marketing. My read of the bill is that it could limit certain aspects of junk mail. (The preamble talks about on and off-line use of data, but the text of the bill doesn’t seem to delve into details much with respect to off-line use.) The Bill treats a residential address as personally identifiable information, which is subject to various restrictions on use and transfer. The Bill treats advertising from a covered entity’s “own . . . website” as authorized, but does not clearly state that direct mailing is authorized. (The language is somewhat clear on this point.) Certainly, the Bill could be read to reach the sharing of addresses from one retailer to another, or from one retailer to a clearinghouse? Will the Bill require an opt-out from catalog marketers? Did the direct mailer association miss the lobbying boat on this one?

The effect on data aggregators is another aspect of the Bill that’s worth watching. Could the Bill be read to prevent retailers and other companies (such as cell phone companies) from transferring your information to companies that aggregate and sell your data, even for purposes such as a credit check?

Finally, since the Bill defines personally identifiable information to include email addresses, I wonder what effect this will have on email marketing, and the transfer of email addresses among various entities.

Other coverage:

ReadWriteWeb: “John McCain & The Wall St. Journal Should Not Determine the Future of the Internet

Ad Age: “Proposed Privacy Law Serves Notice to Online Ad Companies” (“There is a section that protects Facebook and like enterprises under the “Established Business Relationships” section, which would allow the social network to continue to collect “likes” that appear on thousands of sites across the web.”)

EFF: “Well-Meaning “Privacy Bill of Rights” Wouldn’t Stop Online Tracking

LA Times: “Facebook looks to cash in on user data

cnet: “Privacy ‘bill of rights’ exempts government agencies