The Association for Competitive Technology (ACT) submits the following comments on S.2201. Representing mostly small and mid-sized companies, ACT is the industry’s strongest voice when it comes to preserving competition and innovation in the high-tech sector. ACT member companies include software developers, content providers, and IT consulting firms that care deeply about protecting privacy.
ACT has steadfastly and consistently opposed the need the for privacy legislation. ACT’s position is rooted in the following principles:
-
The IT industry recognizes that protecting personally identifiable information is important to its customers.
-
Increased consumer education creates opportunities for IT firms to capitalize on “the business” of privacy and create new technologies and services directly targeted to securing a more private Internet experience
-
Laws and regulations would not be able to contemplate the many activates businesses are actively pursuing to gain consumer trust. Moreover, any regulatory scheme would not be able to respond to rapidly changing consumer demands the same way that businesses can.
S. 2201 runs counter to each of these principles and will be devastating for small technology companies. The bill does not acknowledge the efforts of the private sector to safeguard consumer’s privacy. Further, it is inconsistent with reasoned approach set out by the Federal Trade Commission.
Throughout the course of the privacy debate, many legislative proposals have been put forth as starting points for negotiations. Unfortunately, this unworkable bill is not in that category. S. 2201 is an online privacy bill that would impose significant costs and burdens on companies operating on the Internet. It will greatly impede the free flow of information that online companies, such as advertisers, credit institutions, and insurance firms, rely on to provide various benefits to consumers. These benefits include lower costs of goods and services; free Web content and services; and fraud detection and prevention.
S. 2201 inappropriately treats information collected online differently than information collected by other means. There is no justification for regulating on-line data collection, use, and disclosure practices differently or more strictly than offline practices. According to an ACT poll, 89% of those surveyed said that if there is a privacy law it should cover ALL personal information, regardless how it was collected. This approach will require the vast majority of U.S. companies to maintain two separate administrative systems––an offline system subject to any applicable offline privacy regulations (such as the GLB Act or health care privacy rules) and an online system subject to the privacy requirements contained in S. 2201. Such a two-tiered system would be extremely costly and burdensome to manage. Indeed, many companies in this situation will discontinue their online operations altogether. And, in light of the significantly higher administration and compliance costs associated with maintaining separate databases, those companies that decide to maintain an online presence will effectively be forced to subject all of their data collection practices, whether online or offline, to the requirements of S. 2201.
Rather than pass comprehensive online privacy legislation, Congress should allow the FTC to carry out its new online privacy agenda, including stepped up enforcement activities and greater attention to identity theft and spam.
Analysis and Comments on Specific Provisions:
1. Notice and consent
S. 2201 requires that privacy notices be “clear and conspicuous” and mandates a rulemaking to define these terms. This begs the problem of two words leading to a phone book of regulation. The GLB Act imposes similar requirements on financial institutions; yet, their notices have been widely criticized as unreadable and ineffective. S. 2201 will undoubtedly create a scenario similar the financial services context: high costs for website operators and low benefits to consumers.
The bill’s extremely broad definition of PII is includes “any identifier for which the FTC finds there is a substantial likelihood that the identifier would permit the physical or online contacting of a specific individual.” The bill does not exclude information that is collected or used anonymously or in the aggregate from the definition of PII. This information does not affect the privacy of individuals, it should therefore be excluded from the definition of PII, as it is in other privacy laws. Without an explicit exclusion for this type of data, small companies could be prevented from critical functions of developing statistics and analyses of how consumers use their online products and services. This will adversely affect their ability to improve those services and/or derive revenue via advertising or other means.
S. 2201 requires notice and consent even for sharing PII with corporate affiliates, joint ventures, and business partners, making provisions of the bill applicable to these entities as “third parties.” The apparent treatment of affiliates as third parties is especially troublesome for large companies with complex corporate structures. Many large companies consist of dozens of different corporate entities, all of which may share common customer databases. If user consent were required for controlled subsidiaries and affiliates to share personally identifiable information, then these large companies would be out of compliance automatically by the very nature of the way their data management infrastructures are currently built.
S. 2201 requires, for both sensitive and non-sensitive PII, that the consent for collection, use and disclosure be obtained “before the information is collected.” This would seem to preclude obtaining consent for any additional uses of previously collected personal information. Consent for collection is normally implicit in the fact that the user is providing the data (or is using the service following notice that certain behavioral or usage data will be tracked as part of using the service). Thus, consent for use or disclosure should only be required prior to the use or disclosure of the personal information––not prior to its collection. In addition, because consent for use is normally implicit in the fact that a user is providing data for a specific purpose, consent for a website’s use of a customer’s information should only be necessary for those uses that the website did not previously identify at the time the information was collected.
The bill’s exclusion from the consent requirement for data shared with third party agents/vendors is too narrow. Specifically, Section 104(a) excludes from the consent requirement disclosures that are necessary “to conduct a transaction, deliver a product or service, or complete an arrangement for which the user provided the information.” This language would not cover a situation where the “user provided the information” for Transaction A, then later requests Transaction B which requires a separate use/disclosure of the previously collected information. The transactions/services contemplated by this exception should not be limited to those “for which the user provided the information,” but should instead include any that are requested, authorized, or consented to by the user.
In addition, the bill’s definition of “disclose” excludes information provided to “a person who provides support for the internal operations of the service or website” which further is limited to “activity necessary to maintain the technical functionality of that service or website.” The bill would therefore not permit sharing for non-technical support functions that are nevertheless for the purpose of operating the website or online service.
2. Opt-in for sensitive data.
The bill imposes new requirements for financial data, thereby amending relevant portions of the GLB Act. In addition, the types of data considered to be sensitive are broader than those considered sensitive under the EU Data Protection Directive, which excludes financial data from its definition of sensitive data.
3. Preemption.
Preemption of state privacy laws is the proper course of action. However, S. 2201’s treatment is confusing. Section 4 states that the bill “supersedes any State statute, regulation, or rule regulating Internet privacy to the extent that it relates to the collection, use, or disclosure of personally identifiable information obtained through the Internet.” The “regulating Internet privacy” language is unnecessary and will only create confusion as to what laws are intended to be preempted by this provision. Furthermore, while Section 4’s language covers State Internet privacy legislation to the extent that it relates to collection, use or disclosure of PII, it does not directly address State law access or security requirements. In our view, there are good reasons not to include access and security provisions in the bill. But if those provisions are included, the preemption provision should cover access as well.
One may ask why access but not security. The fact is the two are quite different issues. Access, along with collection, use and disclosure, relates to how the recipient (and those in the chain with the recipient) of PII collects and maintains information. Security regulation, however, is concerned with the actions of not only the recipient (in terms of the obligation to protect PII) but also the actions of third parties (e.g., hackers) who may attempt to obtain and misuse the PII in a recipient’s database. The security risks posed by such third-party activities require a wider net of regulation and penalties than does access as well as collection, use and disclosure; and much of the law directed at the improper activities of third parties is found in State law, which it is not necessarily desirable to preempt.
Finally, although Section 4 omits language found in an earlier bill carving out several exceptions to preemption (including State tort, common law, and fraud actions), the Section does not clearly preclude consumers from bringing private lawsuits based on existing State common law rights of action that assume duties not contemplated by, or even at odds with those imposed by, the bill. It is untenable to establish through the bill what is supposed to be a comprehensive federal regime of online privacy regulation, but then to leave Internet service providers and others exposed to the threat of such inconsistent State law liability.
4. Access
S. 2201 would permit consumers to access all PII subject to a vague and undefined reasonableness test. The bill also fails to exclude information (such as past facts; information that may reveal trade secrets or internal operations of the company; and information that could subject the company to liability) to which consumers should never have access.
ACT conducted a study to understand the impact of an access provision similar to S.2201. The results are telling. The study concluded that that many businesses would choose to stop sharing personal information if faced with a $100,000 initial cost to make their websites compliant with mandated access. One estimate assumed that only 10% of online business businesses would make the investment in their websites and related systems to track all uses of personal information and the choices made by users. This results in around 360,000 businesses spending $100,000 each, for a total cost of $36 billion.
In addition, although S. 2201 allows covered entities to charge a fee for providing access, these fees would hardly recoup the costs associated with designing and building the access system, especially since it is generally conceded that no more than 10% of users will ever utilize this access system. These costs may exceed our study’s estimate because the bill fails to clearly define the precise categories of PII to which access must be provided.
S. 2201 also fails to address authentication requirements associated with providing users with access to their personal information. Such authentication is critical to ensure that the user seeking access is who he or she claims to be; however, it means that websites will need to collect more PII to ensure that users are properly authenticated. Indeed, the PII required to authenticate users may well exceed the PII collected in the first place. As a result, Web sites will face a severe dilemma: impose intrusive authentication requirements on users or risk granting access to unauthorized users.
Finally, S. 2201 does not define what it means to “delete” a record in an electronic environment. For example, users often request to have their e-mail address deleted, and to never receive e-mail again. However, these two requests are incompatible because retention of an e-mail address is necessary to place that address on an internal “do-notmail list.” The bill is unclear on how such situations should be addressed. It also fails to consider requests to delete personal information where there is a legal obligation or an important business reason to retain the information.
5. Private rights of action
The bill limits private right of actions to violations involving sensitive PII, but this definition sweeps in financial information subject to a separate enforcement regime under the GLB Act. In addition, the bill fails to include a cap on liability and its penalties seem excessive ––$5,000 per violation (a class action for 10 M users of a popular service would max out at $50B—or more depending on whether a series of related violations (e.g., a problem that persist over days or weeks) is counted as single violation or multiple violation. And because the bill requires “reasonable” access and security measures, itrequires Internet companies to spend millions of dollars litigating frivolous claims and to prove in court whether or not such measures were reasonable. These types of penalties will be a death knell for small companies caught in the crosshairs. In short, S. 2201 is a plaintiff’s lawyer employment and enrichment act.
6. Policy changes and breach of privacy.
S. 2201 requires notice and consent for “material” changes to a company’s privacy practices. The bill also requires notice to consumers of any “compromise” of PII. However, the bill fails to define these terms. S. 2201 therefore establishes a regime in which website operators will have to constantly second-guess the meaning of “material changes” and “compromise” and either err on the side of caution by issuing frequent notices or risk government or private enforcement actions for failing to comply.
In addition, the bill’s language requiring website operators to provide notice to “all users whose sensitive or nonsensitive” PII was affected by a unlawful collection, disclosure, use or compromise is especially burdensome and would require extensive tracking of users against specific versions of products or services (and upgrades) in order to determine which user is affected in any given case.
7. Disclosures to law enforcement.
The bill’s provisions governing disclosures to law enforcement are too narrow and do not track the requirements of the Electronic Communications Privacy Act (“ECPA”), as amended by the USA Patriot Act. The bill should defer to the requirements in ECPA that require law enforcement to obtain subpoenas, warrants, or court orders depending on the type of information (i.e., contents of communications or subscriber information) that they seek to collect.
8. Security.
S. 2201 calls for “reasonable” security procedures but fails to indicate what “reasonable” means. In addition, the bill fails to follow the FTC recommended language that such security programs be “appropriate to the circumstances.” Finally, although the security requirement is broad and vague, violations are actionable under the FTC Act and under private law suits involving the security of sensitive PII.
9. State Actions.
S. 2201 permits a state attorney general to bring an action where it believes that an interest of the residents is or has been “threatened,” which is an overly broad provision. This opens the door for state attorney generals to go after online businesses and websites for any number of imagined and unrealized harms instead of requiring an actual harm or “adverse affect” to occur before a state enforcement action can occur.
10. Other issues
S. 2201 fails to include a safe harbor for Web sites that participate in self-regulatory programs. In addition, the bill calls for NIST to support and encourage efforts such as P3P; however, requiring use by Federal agencies would be far more effective in increasing the adoption rate of P3P-based privacy statements and related technologies..