The opinions expressed in this alert are the views of the writer and interview subject, and not necessarily the views and opinions of Foley & Lardner LLP.
Andy Serwin, Chair, Privacy, Security & Information Management Practice at Foley & Lardner LLP, recently sat down with Scott Shipman, eBay’s Associate General Counsel, Global Privacy Leader to get his personal thoughts on the Commercial Privacy Bill of Rights Act of 2011 (CPBR).
Scott: Thanks Andy for the opportunity to talk with you about the bill. Importantly, these comments are not those of eBay Inc. While eBay does support the bill, the thoughts and opinions to your questions are mine alone. I’ve formulated my opinions generally since 2006 when I testified on federal privacy legislation and over the last 18 months specifically as I’ve interacted with people close to this bill.
Andy: Do you think the Kerry-McCain bill is a good bill?
Scott: The Kerry-McCain bill threads a needle, striking a balance between business and consumer needs. To read that some consumer groups think it doesn’t go far enough and some business associations say it goes too far seems to say [to me] it is actually somewhere in the middle. Notably, a few key companies and consumer groups have come out to support it. So public opinion indicates that it does fall somewhere in the middle. To borrow from a few common phrases, not everyone is comfortable with change and everything can be improved — but that said, this is the best we’ve seen in a long time.
The bill is good for consumers because it creates a series of standards [requirements] that should increase consumer trust, requires businesses to communicate how personal information is processed, requires reasonable access, correction, and deletion of personal information, requires choices for consumers when information may be used for unauthorized uses, and creates a baseline of privacy standards required of all businesses whether online or offline and provides clear FTC and attorney general enforcement to keep businesses compliant with the Act.
The bill is good for businesses because it should increase consumer trust when collecting consumer personal information, offers more predictability for businesses evaluating privacy laws, is based largely on what most responsible businesses already do today, offers proportional requirements, not discriminating between start-ups, SMBs, and larger businesses, reduces the uncertainty and the burdens of private rights of action and class actions, and it is technology-neutral, allowing for technical innovation.
Andy: How does it create predictability and unification of standards for businesses and consumers?
Scott: The bill largely codifies privacy practices that most responsible businesses are already doing today. U.S.-based international businesses already have to comply with privacy standards more strict than this bill. The bill clearly borrows heavily from the Fair Information Principles, work done on use and accountability models, and existing state, federal, and international privacy law. Once the rulemaking is finalized — by virtue of the bill’s origins and standards it creates, it offers businesses the clearest standard to follow to date.
From a consumer perspective, it provides new privacy rights that apply online and offline. Consumers will not have to second-guess what law applies or ask what state the company is located in, in order to know that the rights apply.
Andy: Can you explain the “safe-harbor” concept and how it would be applied?
Scott: The safe harbor is a new concept — one that I think tries to strike a balance between the flexibility of self-regulation and traditional “set-in-stone” regulations. The key focus is on transfers of personal information to third parties for online behavioral advertising, location-based advertising, or other unauthorized uses of personal information. Notably, these transfers are not in the service provider context, but transfers of personal information to third parties so they [the third parties] can use it for their own purposes unrelated to the original entity. I suspect this is probably one of the most misunderstood pieces of the bill generally, even excluding the safe harbor.
The structure is such that an NGO can apply and receive approval to administer a program that covered entities could enroll in. The key point is that the program offers flexibility in “how” the requirements are met as long as they are met [a clear opt-out of these transfers to third parties]. Naturally, businesses can choose which safe-harbor program if any to join. It is completely voluntary.
The safe harbor does not cover Title I, Security and Accountability. All covered entities are required to comply with Title I. Therefore, the safe harbor really focuses on alternative ways to comply with Title II and Title III.
In exchange for joining a safe harbor and meeting the requirements, a covered entity is exempt from the specific section of Title II or Title III of the Act where they have implemented a safe-harbor compliance alternative. Should a business choose not to join a safe harbor, they are required to follow the specific obligations of the bill.
Therefore the safe harbor really focuses on alternative ways to provide consumers with choices on unauthorized uses [opt-out], behavioral advertising [opt-out], sensitive information [opt-in], and new uses of previously collected information [opt-in] (title II SEC. 202 (a) (1) – (3)), provide consumers reasonable access and correction mechanisms (title II SEC. 202 (a) (4)), enable consumers to request personal information deleted or stop use for marketing (title II SEC. 202 (a) (5)), minimize the collection and retention of covered information (title III SEC. 301 (1), (2)), require transfers to third parties have appropriate contractual safeguards (title III SEC. 302 (a), (b)), and require information is reasonably accurate (title III SEC. 303).
Andy: What have you heard about its chances of being enacted?
Scott: Isn’t there a public television show about how a bill becomes a law? I have no idea what the chances of passage are. As a consumer I’d like to see it pass. I like targeted ads and believe in behavioral advertising, but I also want to know that my personal information is respected, not traded like a commodity without any baseline controls in use or security. There are so many unintended consequences from poor security or misuses by third parties.
Andy: What are some of the key areas likely for misunderstanding?
Scott: Access — Many companies could be concerned about providing access to all data when much of the data is largely inaccessible. A few key words to note are appropriate, reasonable, and covered information. Covered Information excludes public information, public forum information, and public media information.
Opt-in for material changes and sensitive data. Companies are permitted to collect sensitive information to process transactions, for fraud prevention, and for security. Further, an opt-in is not required for new uses of previously collected information, if there is no risk of economic or physical harm. In such cases an opt-out is what the bill says is appropriate.
Retention. Companies may be concerned about a retention standard. Companies can retain information to provide services and ongoing services, for internal research and development, and as required by law. Further, it is likely that we’ll see an initial change to the bill including retention for fraud prevention and enforcement of contractual terms and conditions, as this may have been a matter that was simply lost in the shuffle.
Third parties and unauthorized transfers. Third parties do not include members of the same corporate family, companies that provide a service under a contract for a covered entity, or an entity that has an established business relationship with the individual.
Andy: What do you think is the key provision that may restrict business practices?
Scott: A key restriction, and I think a goal of the bill, is to restrict the sale or transfer of covered information to third parties for their [the third parties] own uses. Selling or transferring personal information without any notice and opt-out consent is prohibited under this bill.
Andy: Thanks Scott. It is something we will continue to follow, and I appreciate your thoughts on the bill.
Andrew B. Serwin
Chair, Privacy, Security & Information Management Practice
San Diego, California
Peter F. McLaughlin