TrustArc Blog

Thoughts on the new online privacy bill

May 05, 2010

Fran Maier
President
TRUSTe

us-congress-building

Photo Credit

Today, Congressman Rick Boucher (D-VA), Chairman of the Subcommittee on Communications, Technology, and the Internet, and Congressman Cliff Stearns (R-FL), Ranking Member of the Subcommittee, released draft language for their much-anticipated online privacy bill. In short, the bill requires online entities to provide notice to individuals and obtain their consent prior to the collection and disclosure of personal information (with noted exceptions). The full text of the draft bill can be accessed here as well as an executive summary here.

I’ve had a chance to look at the text and these are my three initial takeaways:

(1) The public review of this draft language is needed and welcome:

For a privacy bill of this magnitude, the expertise of the private sector cannot be overlooked and I encourage fellow privacy experts and players to critically analyze the bill and provide feedback as requested by the Congressmen. These issues are complex and TRUSTe’s privacy experts will continue their review of the draft language and provide input as needed.

(2) The current draft language positions the traditional privacy policy as the go to standard for “notice” – this is both a good and bad thing

The bill would require, as a national standard, that web sites have a privacy policy. Currently there is a de-facto national privacy policy standard because California business code requires companies doing business with California citizens (read: virtually every company) to have a conspicuously posted privacy policy on their Web site. The passage of this bill would only strengthen that regulatory imperative, and the thousands of Web sites who do not have a privacy policy could suddenly find themselves in violation of federal law. Providing notice to consumers about the data processing practices of a Web site is a good thing and I welcome this concept as a federal national standard.

I am concerned, however, about the adequacy of status-quo mechanisms for providing this notice. Given the ever-increasing complexity of online data processing practices written privacy notices too often devolve into legalese and, ultimately, consumer confusion. Privacy notice innovation is crucial: how do we make key privacy disclosures readily accessible and easily digestible for consumers? The current draft language of this privacy bill does not outline specific criteria for the structure and presentation of privacy notices, beyond requiring a hyperlink to such notice on a Web site’s homepage. TRUSTe is working on innovative privacy notice solutions, incorporating graphical privacy disclosures, shortened, “top-level” notice formats, and pop-up notices at the point of data collection. Our goal is to make privacy choice more actionable and accessible to consumers and we’ve brought this approach to the behavioral advertising space where we are currently piloting a privacy notice and choice pop-up widget that allows consumers to efficiently manage their privacy preferences for online advertising.

(3.) The bill sets the stage for greater FTC regulatory power – this is a wake up call for more proactive self-regulation.

The bill gives the FTC enforcement powers over this hypothetical privacy law and allows the Commission to issue regulations it deems necessary to support enforcement. Also, consider that back in January The FTC’s Director of Consumer Protection, David Vladeck, announced that this year the Commission expects to announce enforcement action in the behavioral advertising space. Lastly, the Consumer Financial Protection Agency Act currently making its way through Congress could also greatly expand the FTC’s privacy enforcement powers. These are the signs of a federal government more acutely concerned with the privacy implications of rapidly developing online technology. This draft bill unveiled by our Congressmen not only foreshadows a possible regulatory direction, but also presents an opportunity for stakeholders to insert themselves in the debate and help shape key privacy precedents for the future. The TRUSTe team is still analyzing the privacy implications of the various opt-in vs. opt-out nuances of the draft language. We will update this blog in the near future when we reach consensus on these issues.