A new attempt to offer regulations for Internet privacy may be a so-called discussion draft, but so far the discussion has been anything but promising for Virginia Congressman Rick Boucher, a man who cosponsored the 2005 Consumer Privacy Protection Act.
The Democrat released the draft legislation on Tuesday along with its cosponsor, Florida Republican Rick Stearns. It was immediately met with heavy criticism from those who represent business, e-commerce and advertising interests, as well as those who advocate for consumers and privacy protections. Given that kind of unanimous disdain and accompanying dim prospects for support, it may be difficult for Boucher to push any substantive change through a politically divided Congress that is already mired in financial reform and energy policy overhauls.
So does the bill go too far with regulation, or not far enough with protections? Yes, say those on both sides.
“Substituting federal regulations for competitive outcomes in the online privacy arena interferes with evolution of the very kind of authentication and anonymity technologies we urgently need as the digital era evolves,” said Wayne Crews, vice president for policy of the free-market-leaning Competitive Enterprise Institute. “Today, businesses increasingly compete in the development of technologies that enhance our privacy and security, even as we share information that helps them sell us the things we want. This seeming tension between the goals of sharing information and keeping it private is not a contradiction — it’s the natural outgrowth of the fact that privacy is a complex relationship, not a ‘thing’ for governments to specify for anyone beforehand.”
There’s nothing really new in the Boucher-Sterns bill proposal, according to Peter Eckersley senior staff technologist for the Electronic Frontier Foundation. “We think the better model than just using opt-ins and opt-outs is for legislation to come in and set standards for appropriate privacy settings on the Internet,” Eckersley told the E-Commerce Times. “They don’t need to be rigid standards — one rule for all time — but they need to set up basic sorts of rules of the road for good behavior. The regulatory model in this bill doesn’t set real minimum standards for good behavior.”
The Bill’s Details
The discussion draft lays down the law as to what kinds of information would be protected, and it includes both online and offline-based data — names, addresses, phone numbers and other standard identifiers, as well as email and Internet protocol addresses, user names and preference profiles. It does, however, exclude data gathered for marketing, advertising or sales purposes from the “covered information” category, allowing third-party companies the ability to continue with targeted advertising initiatives based on a user’s past history or profile “likes” and “dislikes.”
Responding to current trends and initiatives, the proposed legislation does bring a user’s health/medical history and “precise geolocation information” under the “sensitive information” heading, along with financial data, race/ethnicity, religious beliefs and sexual orientation. It calls for privacy and data collection policies to be posted clearly on websites, and it continues the use of opt-ins and opt-outs regarding user consent to access their data.
One short paragraph in the draft has many consumer advocates worried: “This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State, that includes requirements for the collection, use or disclosure of covered information.” Many states such as California are considered to be more proactive regarding privacy protection for their residents.
The Devil in the Details
“That seems to preempt much beyond the limits of the law itself,” Ari Schwartz, vice president of the Center for Democracy and Technology, told the E-Commerce Times. “This question in particular of existing health privacy laws is one example. States have good laws that have been in place for a long period of time that would be pre-empted. We’re not against pre-emption competely, but you have to have a bill that trends towards protections before you can do that.”
Also, Schwartz believes the bill’s reliance on traditional opt-ins/opt-outs doesn’t provide those protections.
“One of the main concerns is that it’s very prescriptive on notice and consent. We’ve seen a lot of bills that have been created that way that have not been helpful to consumers to address broader issues. They need to come up with more standardized ways to address notice and consent.”
That’s a concern echoed by Eckersley. “What we’ve seen, if the last 15 years of the Internet are anything to go by, is that that means there will be vast piles of fine print everywhere. It will just be really, really hard for anyone to know what it all means, what they’re agreeing to and what they’re opting out from — if they even get that far.”
Both Schwartz and Ecklersly do give the bill’s authors credit for starting a serious Internet privacy discussion in Washington; lawmakers and privacy groups are starting to take a closer look at private initiatives such as Facebook’s new Open Graph platform, and mobile data transmission is becoming more of an option for consumers. Yet “this bill isn’t the kind of solution that we need,” Eckersley said. “It’s a rubber stamp for everything that’s occurring today. The fact that it starts that way, I think, means it would be miraculous if this were to turn into a bill that does protect people’s privacy in any significant way,” he added.
“There hasn’t been a comprehensive privacy bill introduced in 10 years until now, so having this discussion is extremely important,” Schwartz said.
Great piece, Renay. Will the opt out eventually replace the opt in? Check out some additional insight on the proposed bill here: