01:17 PM
McCain Kerry "Privacy Bill of Rights" Increases Controls on Use of Personal Information
Senators John McCain (R-Ariz.) and John Kerry (D-Mass) have introduced a draft privacy that seeks to enhance protection and control of personal information. Named The Commercial Privacy Bill of Rights Act of 2011, the proposed legislation would require businesses to disclose when they track consumer activity and share related data with third parties. Resulting legislation would be enforced by the Federal Trade Commission and states' attorneys general, but would exclude private rights of action.
The bill would enforce protections to prevent consumer's personally identifiable information data residing with third parties without consumers' knowledge, according to Julie McNelley, a San Francisco-based senior analyst with Aite Group.
"The aim of the bill is to provide more visibility for the consumer," McNelley says. "There's significant language saying that consumers must have the opportunity to opt out, and that opportunity must be conspicuously placed." The privacy "rights" enumerated in the draft of the McCain Kerry Bill include:
- The right to security and accountability, which requires collectors of information to implement security measures to protect the information they collect and maintain.
- The right to notice, consent, access and correction of information, requiring collectors of information to provide clear notice to individuals on their collection practices and its purposes. Collectors must also provide the ability for an individual to opt out of any information collection and provide affirmative consent, i.e., opt in, for the collection of personally identifiable information.
- The right to data minimization, distribution constraints, and data integrity, which requires collectors to collect only as much information as necessary to process or enforce a transaction or deliver a service, while allowing for use of information for research and development purposes for a reasonable time. Collectors would also be bound by contract to ensure that any individual information transferred to a third party would only be used in accordance with the bill's requirements.
The bill includes language requiring information collectors to implement appropriate risk-based mechanisms for protecting consumer data, comments McNelley. While many financial services companies already require vendors to apply a series of protocols against personally identifiable information, the bill would seek to codify and standardize such measures.
"The bill doesn't says that the rule-making cannot prescribe specific technologies, but it cold include some sort of bench marking," McNelley says. "That's somewhat of a good things because technology evolves so quickly and you want to leave companies some latitude."
Insurance compliance officers and CIOs should keep an eye on the rule-making process, McNelley counsels. "The one potential for damage is that the notification requirements become so onerous that they could disrupt the current capitalistic mechanism of the Internet whereby content is provided free and monetized in various ways, such as by advertising," she explains. "If the compliance mechanisms become so onerous that people opt out en masse, it could disrupt e-commerce.
Blogger Ira Stoll warns that onerous requirements are already built into the proposed legislation:
"The text of the bill identifies such items as 'date of birth' and 'the religious affiliation of an individual' as 'personally identifiable information' and 'sensitive personally identifiable information,' meaning that such useful Web sites as Wikipedia and whorunsgov.com might be ensnared," Stoll writes.
Stoll notes that the bill calls for a penalty of $16,500 per individual per day a violation exists, or $3 million total, adjusted annually for inflation.
Matthew Josefowicz, Partner and Managing Director, Novarica (New York) says it's too early to gauge the impact of the bill on the insurance industry, but insurers need to be mindful of potential impact beyond e-commerce. "Insurers need to stay abreast of this type of online privacy regulation not just in relation to their e-business efforts, but with an eye towards the ability to use consumer behavior data for developing innovative underwriting and pricing models," Josefowicz says.
By excluding a private right of action and shutting out the class action bar, this bill avoids mistakes made in the telemarketing context nearly twenty years ago, according to Amy Mushahwar, attorney, Reed Smith LLP (Washington, DC). "The aftermath of the Telephone Consumer Protection Act clearly shows that consumer class actions rarely benefit anyone."
"We also take guarded encouragement that the bill still contemplates an industry self-regulatory program," Mushahwar adds. "Industry is already well on its way towards greater self-policing efforts in the area of online behavioral advertising. These serious efforts ought to be provided an opportunity to demonstrate that strong self-regulation is a more sensible and flexible solution than static legislation, particularly in an area where privacy expectations, consumer tastes, commercial needs and technology are rapidly evolving."
Anthony O'Donnell has covered technology in the insurance industry since 2000, when he joined the editorial staff of Insurance & Technology. As an editor and reporter for I&T and the InformationWeek Financial Services of TechWeb he has written on all areas of information ... View Full Bio