Online Privacy and Data Security Legislation Update -- 2011 Year in Review
The end of 2010 featured the Department of Commerce citing the need for a Privacy Bill of Rights in its green paper and the FTC’s preliminary online privacy report discussing the need for a Do Not Track mechanism. The momentum generated by these reports led to the introduction of multiple versions of Do Not Track and comprehensive privacy rights bills in early 2011. By mid-2011, at least five different data security and breach notification proposals were circulating in the wake of high profile data breaches. Reports about location based tracking led to the introduction of geolocation privacy and surveillance bills. Proposed amendments to the Children’s Online Privacy Protection Act, Electronic Communications Privacy Act, and Video Privacy Protection Act were also made. And by the end of 2011, several cybersecurity bills designed to protect critical infrastructure had been introduced. Even though Congress held hearings on privacy issues, subcommittees approved several bills, and there was support from the Obama administration for comprehensive privacy legislation, as many expected, however, none of these bills were enacted when the first session of the 112th Congress adjourned December 18.
The safe prediction for 2012 is more of the same—a lot of proposals but no consensus. It is certainly possible that another high profile data breach or cyberattack against a utility or government contractor could create enough urgency to force a consensus. However, numerous high profile breaches (Epsilon, Sony, Citi, RSA, Lockheed Martin and several health care providers), hactivist attacks against government security contractors (IRC Federal and HBGary), and reports about how the “weaponized” Stuxnet virus caused centrifuges in an Iranian nuclear facility to spin wildly out of control were not enough in 2011. We certainly expect to see data breach notification, comprehensive privacy, and cybersecurity bills addressed again in 2012. We may also see narrower bills aimed at online and location based tracking as well as Children’s privacy. Emerging technology, including mobile payments and facial recognition, may also garner legislative attention.
Below is a roundup of the 2011 privacy and data security legislative proposals, including links to more detailed analysis from our blog posts during the year.
Do Not Track
Representative Speier introduced the “Do Not Track Me Online Act of 2011” and Senator Rockefeller offered the “Do-Not-Track Online Act of 2011,” both of which would require the FTC to establish regulations creating an online tracking opt-out mechanism.
We covered Senators Kerry and McCain introducing the Commercial Privacy Bill of Rights bill, the stated purpose of which is to “establish rights to protect every American when it comes to the collection, use, and dissemination of their personally identifiable information (PII).” The three privacy rights identified by the bill are the right to: (1) security and accountability; (2) notice, choice, consent, access and correction of information; and (3) data minimization, distribution constraints, and data integrity.
Data Security & Breach Notification
In May 2011 alone, three legislative proposals creating a national data breach notification standard were introduced. Numerous competing Congressional committees held hearings. Following the highly-publicized breaches at Epsilon and Sony, representatives from both companies testified before the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade regarding the need for a national breach notification standard that preempts state laws. This subcommittee ultimately approved the SAFE Data Act, and, similarly, the Senate Judiciary Committee approved bills containing breach notification measures.
Despite a strong bipartisan consensus that the United States needs a federal cybersecurity law, partisan politics prevented any significant progress on the many versions of cybersecurity legislation pending before Congress. The most recent proposal—the PRECISE Act—was introduced on December 15. Moving into next year, given the bipartisan consensus regarding the need for a federal cybersecurity law and some of the similarities between the White House’s legislative proposal and the pending bills, there is a possibility for cybersecurity legislation to be enacted in 2012. Senate Majority Leader Harry Reid (D-Nev.) has announced his intention to break the gridlock by bringing comprehensive cybersecurity legislation to the floor when Congress returns in January 2012.
In May 2011, Rep. Markey (D-Mass.) and Rep. Barton (R-Texas) introduced the “Do Not Track Kids Act of 2011,” which would expand the protections offered by the Children’s Online Privacy Protection Act of 1998 (COPPA), including covering online and mobile applications as well as establishing new privacy rules for minors under 18 (COPPA only prohibits collection of personal information from children under 12 without parental consent).
The FTC released proposed amendments to COPPA on September 15, 2011, which include several significant changes such as expanding the applicability of the rule beyond websites to mobile apps and networked games, expanding the definition of personal information, and removing the “email plus” parental consent verification mechanism. Based on the complexity of the questions raised by early comments, the FTC extended the deadline to submit comments on the proposed amendments until December 23.
Our mid-year roundup on mobile apps and geolocation data covered the Senate “Locationgate” hearings, Senator Leahy’s proposed amendments to the Electronic Communications Privacy Act, and mobile app privacy concerns. We also covered the December 8 FTC workshop that explored the privacy and security implications of facial recognition technology.