One day before Congress’ meeting with Apple and Google representatives to discuss their privacy practices, Sen. Jay Rockefeller (D-W.Va.) released a proposed bill that would give the FTC wide latitude to design rules for a “do-not-track” mechanism for computers and mobile devices.
The proposed bill, called the Do-Not-Track Online Act of 2011, is one of four recently proposed bills to address consumers’ privacy. http://tinyurl.com/3cqlvys. The bill would give the FTC one year to design and implement a mechanism for individuals to opt out of information collection practices by providers of mobile applications and services.1 The mechanism must allow individuals to “simply and easily” indicate whether they prefer to have personal information collected online or through mobile devices, giving them an ability to opt out of online tracking. The rules also must prohibit providers from collecting information from individuals who have opted out of such collection.2 However, the bill would allow tracking if: (1) the collection of information is necessary to provide a service requested by the individual so long as the information is anonymized or deleted upon the provision of the service; or (2) the individual receives clear notice and affirmatively consents to the collection.3 Affirmative consent will likely require an affirmative action, such as click acceptance, by the consumer.
In devising standards under this bill, the FTC must determine the proper scope of the rules, the technical feasibility and costs, previous mechanisms developed for this purpose, whether and how information should be used anonymously, and the standards under which information can be collected and used once made anonymous.4
The bill provides that a violation of the rule would be treated as “an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the FTC Act.”5 Attorneys general, as well as “any other officer of a State who is authorized by the state to do so” may bring a civil action to enforce compliance with this law, and the FTC also may intervene.6 Civil penalties for violation of the bill would be calculated by multiplying the days that the entity is out of compliance by no more than $16,000, with a penalty not to exceed $15 million.7
The FTC is tasked with reviewing the law two years after its promulgation.8
In a statement, Sen. Rockefeller said, “I believe consumers have a right to decide whether their information can be collected and used online. This bill offers a simple, straightforward way for people to stop companies from tracking their movements online.”9
With the recent high-profile privacy breaches and controversy surrounding customer location tracking, privacy is a hot-button issue right now and clearly within the sight of Congress. While it remains to be seen whether this bill, or one of the three other recent privacy bills, will be enacted, it is likely that Congress will be focusing its attention squarely on these issues in the near future. Additionally, the bulk of the details will come through the FTC rulemaking process. Companies are well advised to keep at least one eye squarely focused on the pending legislation in developing strategies for compliance with personal information privacy and security requirements.
Andrew B. Serwin
Chair, Privacy, Security & Information Management Practice
San Diego/Del Mar, California
Chanley T. Howell
Megan E. O’Sullivan
San Diego/Del Mar, California
Let’s Talk Compliance | Provider Relief Fund: Reporting Requirements and Compliance Concerns