The Future of Privacy Legislation: A Conversation with Congressmen Rick Boucher and Cliff Stearns

|

boucher-stearns-picture-0023

On Wednesday, Representatives Rick Boucher (D-VA) and Cliff Stearns (R-FL), Chairman and Ranking Member of the House Subcommittee on Communications, Technology and the Internet, spoke exclusively with the Future of Privacy Forum and a select group of privacy advocates, academics, and members of the business community about the discussion draft of privacy legislation the Congressmen released on May 4.  The event was held in the Cannon House Office Building and more than a hundred participants joined either in person or via teleconference.

FPF is extremely grateful to all those who attended, and most importantly to Reps. Boucher and Stearns for their candor and willingness to participate in such a robust discussion about the future of consumer privacy legislation.

Below are several topics that were discussed during the event and some very pertinent quotes from the Congressmen.

Privacy Legislation:

The Congressmen stated that they published the bill in draft form because they wanted to receive and consider the input of public and private stakeholders before the bill’s formal introduction in Congress, and said that they have received more than seventy comments to date.  Congressman Boucher emphasized that he would like to move forward as soon as possible, but given that he wanted to take time to read and synthesize all the comments, a bill would not likely be introduced before the end of July: “When we have that satisfaction with our committee, bipartisan congressmen and stakeholders, we’ll move forward,” explained Boucher. “It is optimistic to think this will happen by end of July.  We’ll spend time digesting and thinking and seeing what level of support we can expect to receive.”

As Congressman Boucher explained, “There is a lot of concern about what information is collected and how information is shared. The lack of understanding about practices leads to a lack of trust for online consumers.”  According to the Chairman, “Our goal is to resolve the uncertainty, and to provide fundamental privacy assurances that will lead to more levels of Internet utilization.”  He added that this legislation is not designed to regulate the Internet but to provide privacy guarantees that will enhance users’ experience on the Internet.

The draft legislation aims to set baseline standards for all entities regarding how they collect, use, and share personal information in both the online and offline contexts, while recognizing that best practices are already being implemented by the largest, most reputable companies.

Targeted Advertising:

Congressman Boucher explicitly noted that his bill will not inhibit targeted advertising: “We’re internet advocates.  This is not a measure designed to regulate the internet in any way. It is designed to provide the privacy guarantees that will enhance the internet experience and lead to a greater willingness to trust online transactions.  We are not seeking to impose barriers or to inhibit targeted advertising.   We respect targeted advertising.  It is the model today that has been highly successful and it enables a lot of a very useful content to be provided for free to internet users. We don’t want to inhibit that.”

Opt-In and Opt-Out Requirements:

Congressman Boucher explained the thought process behind opt-in and opt-our requirements included in the legislation: “The first clear requirement that we have is prominent disclosure by all entities that collect information of the information that is collected, how that information is used and the circumstances under which, and the ability, at least generically of the individuals of whom that information is collected. We then provide as a second major principle control over the collection and use practice on the part of the individual from whom the information is collected.

We generally apply an opt-out principal and the mechanism for control. We apply opt-out, for example, to all first-party transactions. We apply opt-out to interactions between a first party and a service provider, whose services are necessary to complete the first party transaction.  That information is subject to opt-out. We apply opt-out to affiliates of the first party, [and] we apply opt-out and exemptions generally for operational and transactional collection of sharing.  We apply opt-in in limited instances and those instances fall into two categories: First of all, sensitive information.  We define that as information that is very personal to the individual, such as financial information, medical information, information about children and adolescents, geographic location-specific information.  For the most sensitive information, opt-in would be required before that could be collected or used.   The second major way in which we apply opt-in is that it would generally apply to the sharing of information with unaffiliated parties.  But we have a major exception to that requirement: the sharing of information with unaffiliated parties. Advertising networks, for example would be permitted under the ‘opt-out’ principles where those advertising networks or similarly situated parties follow the best business practices.

Let’s be specific about what these are.  These are opt-out if each advertisement that is received from any of the entities on an advertising network has a link associated with that ad that identifies the derivation of the ad, and says that it stems from the creation and use of a preference profile.  And this provides access to the preference profile. And the opportunity for that user to modify that profile, So access to the profile, and the opportunity to modify would be the first requirement.  Second requirement is that those advertisements have a link associated with it that enables upon activation the elimination of information sharing about that individual within the advertising network.  So the individual could choose not to have the individual about them distributed within the advertising network.  If those two requirements are met—and I’ll stress again, these are requirements that are in practice today by some advertising networks, then opt-out would apply with regard to information sharing, even among the unaffiliated parties.”

Privacy Notices and Privacy Policies:

Prompted from a question about the length of privacy policies from FPF Co-Chair Christopher Wolf, Congressman Stearns discussed the issue at length: “As policymakers, Rick and I have to decide to what degree to do and what degree not to do.  When I had these hearings and recognized how difficult it was to come up with a privacy bill, I almost thought that a “Good Housekeeping” seal of approval—let the private sector develop this seal of approval by talking to the Federal Trade Commission, and the FTC would give them a seal and they would use that on the webpage so that the consumer, rather than reading through the long contract about privacy, he could just use that seal of approval and that would be sufficient.

This is sort of the easy way out on this, because then the private sector is doing it and we don’t have the FTC issuing fines or perhaps we don’t have complicated bills.  But at the same time, some of this, as Rick pointed out, sometimes the consumer has a right to know what they are collecting and he or she should be able to opt-out of that collection.”

Stearns went on to explain that, “When we had a hearing they [the FTC] could not answer when and where the dialogue boxes should come up.   It didn’t come up at that point the legal language, but many of us don’t read the privacy forums that are popping up now because there is so much legalese.  So I think what you need is a general understanding of what the dialogue boxes contain, and sort of a checklist if that’s in there.  There’s got to be something so that the consumer doesn’t have to read the legal contract in detail, because one: he or she won’t know what it means; and two: it’ll scare them.  We don’t want in the long run to have consumers deterred from using the internet through these dialogue boxes that pop up that are hugely legalese.  So in the end it’s got to be up to the FTC but at the same time consumer friendly, so in the end we don’t feel as though we’re putting ourselves in a legal situation.”

Congressman Boucher added, “We are in an almost daily conversation with the FTC about privacy principles.” Boucher also noted that the FTC would have final say over the regulations of bill including the language of the privacy notices.

Innovation with Notices:

FPF Co-Chair Jules Polonetsky highlighted the inclusion of better transparency and control tools that appear to be a piece of the draft legislation, which would mirror the recent development of the “Power-I icon,” which was created by FPF and WPP in the past year.  This discussion prompted Congressman Boucher’s comments about how similar innovations are already being seen with innovations in the mobile technology sphere: “Many of the mobile providers have already begun a very productive consideration of how to ensure and enhance levels of privacy.  I’m reminded, for example, of the universal “opt-in” that occurs when you start a Smartphone for the first time.  It basically says, ‘Do we have the permission to track your geographic location for various applications that you may decide to employ on this device?’ … With one click affirmatively at that point [users] can decide to allow the tracking of geographic-specific information.”

US vs. EU

Congressmen Boucher and Stearns noted that even if privacy legislation is enacted, the FTC would still have the discretion to bring enforcement actions regarding the language and manner of privacy disclosures (including for Apps and mobile devices, which they also confirmed are covered by the draft bill).  They also discussed privacy regulation in general and the compatibility of European and global standards – commenting that despite supposedly stricter privacy regimes overseas, enforcement is more robust in the United States – and stated that their legislation would aim to honor practical applications over cumbersome regulatory policy.

As Boucher stated, “We are not looking to imitate the EU. We want a lighter regulatory touch. The EU has always honored the law over practical applications.”

Stearns added, “EU privacy policy is very onerous. We don’t want the same burden. So I don’t think you can ever make them happy. We don’t want that in the U.S. [and] that’s why [the] lite draft bill is good.”