Two U.S. lawmakers have released a draft bill that would require companies that collect personal information from customers to disclose how they collect and share that information, but several privacy and consumer groups said the proposal would legalize current privacy violations online.
The draft legislation, released Tuesday by Representatives Rick Boucher, a Virginia Democrat, and Cliff Stearns, a Florida Republican, would apply to information collected online and off. The bill would require companies collecting personal information to allow customers to opt out of the collection, and would require companies to get permission before sharing customers' personal information with third parties.
"Our legislation confers privacy rights on individuals, informing them of the personal information that is collected and shared about them and giving them greater control over the collection, use and sharing of that information," said Boucher, chairman of the House Energy and Commerce Committee's Subcommittee on Communications, Technology, and the Internet, in a statement. "Our goal is to encourage greater levels of electronic commerce by providing to Internet users the assurance that their experience online will be more secure."
But several privacy and consumer groups, including the Consumer Federation of America, the Electronic Frontier Foundation and the Electronic Privacy Information Center, criticized the bill, saying it would codify current online privacy practices that exist more for the benefit of companies than customers.
"No bill would be better than this bill," Evan Hendricks, editor and publisher of the Privacy Times newsletter, said during a press conference.
The bill would put into law a weak privacy practice pervasive online today that allows companies to collect personal data if they give notice and, in some cases, get consent, added John Simpson, director of the Google privacy and accountability project at Consumer Watchdog.
"I can't really say very much good about it," he said. "This bill really adopts a bankrupt notice-and-consent regime that we all know does not work."
The consumer and privacy groups also complained that the bill would prohibit states from passing their own online privacy bills, prevent individual consumers from filing lawsuits against companies that don't protect privacy, and allow companies to keep personal information for up to 18 months.
"Please explain why a marketer would need to keep your information for 18 months," said Michelle De Mooy, senior associate for national priorities with Consumer Action.
Consumer Action praised the lawmakers for taking a first step toward a privacy bill. "But this bill is not the answer," De Mooy added. "Consumers are getting angrier and angrier, and we hear from them all the time about companies hiding under privacy policies to get to their personal information."
Companies would not need opt-in permission to collect operational or transactional data such as Web logs or cookies under the draft bill. However, companies would also need opt-in consent to collect sensitive information such as medical records, Social Security numbers, information about sexual orientation and precise geographical location.
With the exemption for operational data, companies could collect almost any personal information without stronger safeguards, Simpson said.
The draft bill would require companies collecting personal information to display understandable privacy policies. The bill would exempt online companies from getting opt-in permission to share personal information with third-party advertising networks if there was an easy-to-find link to a personal profile page where customers could change their advertising preferences or opt out.
The draft bill is "thoughtful and a good starting point" for a discussion about online privacy, said Michael Zaneis, vice president for public policy at the Interactive Advertising Bureau (IAB), a trade group representing online advertising networks. He praised the bill for including a provision to launch a federal educate campaign on consumer privacy.
But IAB also has some questions about the proposal, because it appears to expand the definition of personal information to include IP addresses and cookies, and appears to require online companies to get opt-in permission to collect that information when sharing it with third parties, he said. Web sites often pass that data between them, he said.
"We've never regulated cookies and IP addresses and treated them as if they were personally identifiable," he said.
The data collection notice requirements in the draft legislation are also extensive, and some Web publishers may know how third-party sites handle some information, he said. "I'm worried about first-party Web site obligations under the bill," Zaneis said. "We need to make sure that we have appropriate obligations on appropriate parties here."
While the consumer and privacy groups attacked the draft bill as too weak, the Progress and Freedom Foundation (PFF), an antiregulation think tank, complained that the bill could damage the online advertising market and result in less free online content for consumers.
"By mandating a hodge-podge of restrictive regulatory defaults, policymakers could unintentionally devastate the 'free' Internet as we know it," the PFF said in a statement. "Because the digital economy is fueled by advertising and data collection, a 'privacy industrial policy' for the Internet would diminish consumer choice in ad-supported content and services, raise prices, quash digital innovation, and hurt online speech platforms enjoyed by Internet users worldwide."
Lawmakers should first find "specific consumer harm that requires government intervention," the PFF added.
Fears that a strong privacy bill would kill online advertising are overstated, countered Jeffrey Chester, executive director of the Center for Digital Democracy.
"The industry wants to frame this debate in a very narrow, self-serving way, suggesting that if you protect privacy, you will curtail online advertising," he said. "The industry is using this threat that the Internet will go dark, will go bankrupt, if consumer privacy is protected. It's a disingenuous, twisted and fallacious argument."