Do We Need a Privacy 'Bill of Rights'? Senate Considers One

May 4, 2011— -- U.S. consumer privacy laws are, to put it bluntly, a mess. We have sectoral laws that provide different protections for financial information, cable and phone subscriber records, health privacy and yes, video rentals. But we are the only country in the OECD except for Turkey that fails to provide baseline protections for consumer data that is collected online and offline.

Every day, our personal data are scattered like breadcrumbs to pigeons in the park, across the Internet and beyond to advertisers, social network sites, data brokers, direct marketers and the myriad companies we do business with. Our privacy laws simply haven't moved in step with the way our capacity to collect, process and share our personal information.

The Federal Trade Commission (FTC) has pushed about as far as it can with its limited power to go after bad guys for unfair or deceptive practices, but that case-by-case focus on instances where companies deceive consumers is just not enough. Companies simply hide behind ponderous and undecipherable privacy policies that do nothing to protect privacy, written by lawyers who are looking out for their companies -- not you.

But we might make progress yet. A recently introduced a bill from Senators John Kerry (D-Mass.) and John McCain (R-Ariz.) would create for the first time a commercial privacy "Bill of Rights." It is the first comprehensive privacy bill in the Senate in more than a decade.

Given the rancor in Congress these days, the simple fact that this bill is a bipartisan effort speaks volumes.

Lawmakers are quickly wising up to the importance of consumer privacy. The bill gets a lot of things right, though there are several things my organization, the Center for Democracy and Technology, would change. But at least for today, let's focus on the things the bill does right.

Senate Bill Requires Basic Principles for Companies That Collect Personal Data

The bill would require basic Fair Information Practice Principles for all companies that collect personal data both online and offline. In practice, this means you get clearer, more timely and understandable notice when your information is collected.

Companies will have to tell you exactly what they are planning to do with your information, collect only what they need to accomplish that purpose and only hold on to your data as long as they need it for the stated purpose. You will be able to opt out of third party advertising and that opt-out needs to be global and persistent over time.

Security rules will be strengthened, as will the right of consumers to access the information that a company holds about you. If it's wrong, you can fix it. Both the FTC and State Attorneys General would have power to enforce the new law and impose significant civil penalties for violations, up to $6 million in civil fines.

The bill also has a requirement that companies engage in "Privacy by Design," which means they have to have internal processes in place to consider how to protect privacy as a product or service is first developed.

Finally, in order to make sure that these high level obligations can be tailored to different industries, the bill encourages companies to collaborate with consumer groups and others to develop industry-specific codes that incorporate and build upon the law's requirements. It is then up to the FTC to review those codes and approve the ones that pass muster.

This flexible approach should work for every industry and avoids rigid mandates that might dampen innovation or freeze privacy practices that might quickly be outdated.