Five Big Problems With the New Privacy Bill of Rights

Senators John Kerry and John McCain have co-authored a bill designed to protect consumer rights in the age of the InterWebs. Called the Commercial Privacy Bill of Rights Act of 2011, it's supposed to restrict the kinds of information data brokers can collect about you, and what they can do with it.

First: Kudos to Congress for even addressing the issue of privacy. In the past, consumer privacy has been a topic those inside the Beltway have either a) religiously avoided, b) dealt with by passing extremely narrow legislation protecting one particular practice (like video rentals) while allowing all manner of worse things to continue, or c) addressed via wishy-washy laws that make it look like they've finally stopped ducking the issue while doing nothing to solve the problem (CAN-SPAM Act, please pick up a white courtesy telephone).

[ See also: Facebook's China Syndrome ]

Unfortunately, this piece of legislation -- which has received a thumbs up from Microsoft, Intel, HP, and eBay, and a "meh" from most privacy advocates -- contains more Wrongs than Rights.

What's the matter with this bill? From a privacy standpoint, plenty.

* It's extremely vague. The bill would allow data miners to "collect only as much information as necessary to process or enforce a transaction or deliver a service, but allow for the collection and use of information for research and development to improve the transaction or service and retain it for only a reasonable period of time."

Who determines what information is "necessary" and what a "reasonable" amount of time is? The answer: The data miners themselves. For Facebook, all of your information is necessary to deliver some kind of service; for years, Google claimed 24 months is a "reasonable" amount of time to retain search data. (After a lot of pressure they shrunk that down to 9 months).

The bill also calls upon data brokers to "implement security measures" to protect the data it collects. That could mean practically anything. Can you find a company that doesn't claim to implement security measures? Only after a breach has occurred do we find out just how lame those measures really were. (RockYou, I'm talking to you.)

* It lacks a private right of action. This insulates companies from private lawsuits. Feel like you've been screwed over by a data miner flouting the law? Your only option is to complain to the FTC or your state attorney general's office and hope they'll do something about it.

Here's what's going to happen. Complaints will pile up over a number of years. The FTC or AG will pick a handful of especially egregious companies and publicly spank them, as an example to the others. And that's it. Given how many other things the Feds and States have to worry about, the odds of your complaints getting addressed are practically nil.

* It bypasses state laws. Want to know why data leaks are constantly in the news? Because dozens of states now require companies to notify customers in the event of data breaches, based on laws modeled after California's SB1386. State privacy protections are almost always better than the few Federal ones that exist. But this bill would supersede any state laws around data collection. As with the CAN SPAM Act, a weak Federal bill would trump stronger state laws.

It's true that companies often tear their hair out trying to comply with multiple state laws, some of which contradict each other. But why does the Federal law always have to be the weakest one?

* It's almost all opt out. If a data miner wants at your health information or religious affiliation, it will need your permission first. Otherwise, it's all fair game. Don't like it? The bill would force companies to allow you to opt out of data collection.

Quick, name all the data miners who have access to your data. I bet you can't. Hell, I can't, and I follow this stuff. Well your job is now to track them all down individually and tell them to stop spying on you. Good luck with that.

* There's no ‘Do Not Track Me' option. The biggest problem with this bill is what isn't there - no provisions at all keeping advertisers and data miners from compiling dossiers of your online activities and sharing them at a profit.

The Network Advertising Initiative does offer a collective opt-out mechanism consumers can use to tell the largest behavioral ad networks to buzz off. There are a lot of problems with this option, including the fact that it relies on cookies you may end up blocking or deleting, and that it's very browser and device centric - you'll have to opt out separately for IE, Chrome, Firefox, etc. on every Web gizmo you own.

The other big problem: That list does not include non-advertisers that also collect data about you -- like Rapleaf, Acxiom, LexisNexis, Experian, or Intelius, to name but a few. They all offer opt outs, but you'll have to visit each site separately.

We're going to hear a lot more about ‘do not track' before this bill ever passes. The other stuff? Not so much.

Is this the best Congress can do? Absolutely not. But it may be as good as we're ever likely to get. And that's just sad.

Subscribe to the Security Watch Newsletter

Comments