April 18, 2011
The bill, introduced by Senators John Kerry (D) and John McCain (R), has already been criticized as being both too strong and not strong enough.
In either case, it’s nice to see Congress even tackling the topic.
The bill creates an administrative rulemaking duty for the Federal Trade Commission to promulgate rules to protect consumers under the act. Enforcement also falls on the FTC, but state attorney generals are also empowered to enforce the act through civil actions.
While compelling the FTC to enforce consumer privacy protections is laudable, the bill also contains definite downsides, as Dan Tynan at PCWorld points out.
First, the bill’s rationale is that enforcement by the FTC or state AG is good enough, so it specifically bars individual civil actions.
Under many circumstances, this would be sufficient. However, in cases where an individual’s privacy rights are violated, it just makes sense to allow individuals to sue those who have wronged them.
In addition, individual complaints will likely pile up by the millions, and neither state AG’s nor the FTC have adequate resources to address them all. As such, all but the most flagrant will go ignored.
Second, the bill also preempts most state laws on the issue, meaning that the often more stringent state laws are cancelled in the face of this federal regulation.
On the upside, the bill restricts what kind of individual data can be collected and retained.
On the downside, the restrictions are somewhat open-ended: under the act, data collectors are only allowed to collect as much information as “reasonably necessary” to transact with an individual.
To figure out what “reasonably necessary” means, we’d have to wait for an FTC rule or decision. Unfortunately, even the most optimistic observer would tell you that such administrative action would take years at the earliest.
Another protection the bill introduces is the creation of an “opt-out” for consumers.
Regrettably, an individual would need to opt-out on a case-by-case basis; that is, you would need to tell each data collector to stop tracking you, rather than being able to put yourself on a “do not call” sort of list.
While the bill takes great first steps in recognizing a consumer’s right to privacy, it really doesn’t go far enough with those rights.
The biggest flaw, though, comes from the enforcement provisions.
The provisions were penned under the assumption that individual data privacy breaches are inherently large-scale violations. Obviously, as the word “individual” connotes, they are not.
Creating an individual right to a civil cause of action, even instead of all federal and state action, would be a far more efficient and effective method of enforcement.
Because the bill specifically blocks such actions, it does more harm than good in this way.
And it’s this and various other aspects of the bill that have many privacy advocates debating whether we are better off with or without the bill.
If the sponsors of the bill truly intend it to benefit consumers, this should alarm them.