And, Adds a Third Arena in the Senate for Privacy Discussions

This post was also written by Chris Cwalina, Amy Mushahwar & Mike Sacks.

On Monday, Senator Jay Rockefeller (D-WV) introduced a bill entitled, “Do-Not-Track Online Act of 2011,” that will kick off a dialogue over how and in what circumstances companies should be allowed to collect certain types of consumer information online. In the bill’s present form, it appears that most information collection would need to occur on an opt-in basis, which would be a significant departure from the current self-regulatory standard.

Sen. Rockefeller’s bill adds to the web of privacy activity in the Senate and is the third in a flurry of actions relevant Senate committees have recently taken to address privacy issues. In mid-April, Senators John Kerry and John McCain introduced their “Commercial Privacy Bill of Rights Act” into the Commerce Committee, where Kerry serves as the Chair of the Communications, Technology, and the Internet Subcommittee. On Tuesday, May 10, the Judiciary Committee’s Privacy Subcommittee held a hearing on mobile privacy, bringing in Apple and Google executives to testify. And, Sen. Rockefeller’s bill now joins the Kerry-McCain bill in the Senate Commerce Committee.

As for the substance of the Rockefeller bill, its key provisions include:

FTC Rulemaking: The Bill is simple “by-design,” and would require the Federal Trade Commission (“FTC”) to establish standards for the collection of information by companies online. Companies would be able to collect information from consumers that is essential to perform services requested by those consumers, so long as the company anonymizes or deletes the information once the service has been performed. For all other information, the FTC would be directed to create standards for the implementation of an opt-in choice-based mechanism that allows a user to “simply and easily” tell the company whether or not to collect the user’s personal information (this term is not defined by the Bill; if enacted, it would be defined by subsequent regulation). To enforce the standards, the FTC would be required to develop rules mandating that any company who acts contrary to the user’s given preference would face enforcement liability.

In addition, the Bill requires the FTC to perform a cost-benefit analysis and take into account technical feasibility when promulgating the do-not-track standards. Thus, it is imperative that industry begin to consider these factors and convey to Congress (and the FTC, if and when the time comes) what consumer protections are technically and financially feasible. For example, one complication that we anticipate is that the Bill speaks in terms of individuals expressing choice. It is difficult to imagine how a company could effectuate a mechanism to honor an individual’s specific do-not-track requests when, in reality, many consumers have multiple devices, login usernames, and browsers, which would complicate choice mechanism discussions.

Do-Not-Track Enforcement: Both the FTC and state attorneys general would have enforcement power under the Bill. Additionally, although the FTC traditionally has no jurisdiction over non-profit entities, this Bill would enable the FTC to target any non-profit entity which violated any regulations ultimately promulgated. In its present form, the Bill does not contemplate private rights of action.

Civil Penalties: Subject to inflation, violators could be penalized up to $16,000 for every day they are found to be non-compliant, with a maximum total liability of $15,000,000.

Biennial Review: Within two years of the Bill’s enactment, the FTC would be required to review the statute’s implementation, assess the effectiveness of its regulations and the impact of the statute and its regulations on online commerce, and report its findings to Congress.

Enforcement Preemption Only: Any FTC enforcement action would pre-empt any state action against the same offense. The Bill does not contemplate preemption of state privacy laws. Ordinarily, such significant departures from existing information collection standards as contemplated in the Bill would come with some state law preemption to help companies reduce overall compliance costs. This is not the case here. Instead, we have this Bill’s additional compliance obligations layered on top of an already complex (and at times, conflicting) sector-specific legal regime.

For now, we expect the Senate to take the lead role in privacy discussions. At present, it appears that the Kerry-McCain bill primarily addresses data use, security and management. The Judiciary Subcommittee on Privacy, Chaired by Senator Al Franken, will be focused on mobile privacy. And the full Commerce Committee under Sen. Rockefeller will be focused on information collection. However, this jurisdictional breakdown could introduce complications. Although such a division of labor may be convenient for legislators, information management realities do not break down as simplistically as collection, use, and mobile. Rather, these issues blend into one another. [Amy, wouldn’t you assume that this is a convenient division of labor, but that ultimately ever. For example, if companies were to follow the Rockefeller bill’s do-not-track information anonymization requirements for data collection, web server logs rendered anonymous for Do Not Track purposes would impede one’s ability to research data security breaches. This is because unique identifiers, such as IP addresses, may be removed from those logs depending on the length in which services are being provided for that individual. This is only one of many issues that policymakers, the industry, law enforcement and consumer groups will need to consider, both substantively and procedurally, as the Senate proceeds with its various privacy agendas.