Feeds

US lawmakers publish internet privacy Bill

Draft law to regulate online info sharing

High performance access to file storage

A new law has been proposed that mandates information to be given to website visitors to improve privacy protections in the US. It also lists types of data that can be used until people opt out, and others that can be used only with their consent.

The proposal (pdf) has been published by members of the House of Representatives, Rick Boucher and Cliff Stearns, who are on the House's Subcommittee on Communications, Technology and the Internet. They claim it will offer better protection to users from the increased processing of data demanded by the growing use of behavioural advertising.

The draft law sets new rules for what it calls "covered information" and "sensitive information".

"Covered information" is defined to include, among other things, names, postal and email addresses, fingerprints and retina scans, Social Security and credit card numbers and Internet Protocol (IP) addresses.

The law says that an organisation "shall not collect, use or disclose covered information from or about an individual for any purpose" unless it makes available a privacy notice and obtains the user's consent, though that consent can be implied.

The privacy notice must be "posted clearly and conspicuously on the website" and it must be accessible from a link on the site's homepage. The organisation has to include, among other things, details of the purposes for which the data are collected and used; how it stores the information; how it may merge or link the information collected about the individual with other information about the individual that it may acquire from unaffiliated parties; how it may share the information; how long it will retain the information "in identifiable form" and how it will dispose of it.

The law says that an organisation shall be considered to have the individual's consent to the collection and use of covered information if it provides the privacy policy or statement and if the individual "either affirmatively grants consent for such collection and use or does not decline consent at the time such statement is presented to the individual".

However, the law limits the right of the organisation to share that data with third parties "without first obtaining express affirmative consent" from the subject. The individual's "express affirmative consent" will also be required to make material changes to a privacy policy.

"Sensitive information" is defined to include medical records, race or ethnicity, religious beliefs, sexual orientation, financial records and precise geolocation information. An organisation must not collect or disclose sensitive information from or about an individual unless it makes available its privacy notice before collecting such data and obtains the individual's express affirmative consent.

The law will not apply to government agencies and it will not apply to organisations that collect covered information from fewer than 5,000 people in any 12-month period and that do not collect sensitive information.

The law would bar some sharing of information with other companies, but it makes an exception for advertising networks, which can have access to the information.

"An individual has a reasonable expectation that a company will not share that person’s information with unrelated third parties," said Boucher in a statement. "If a company wants to share an individual’s personally-identifiable information with unaffiliated third parties other than for an operational or transactional purpose, the individual must grant affirmative permission for that sharing.

"Many websites work with third-party advertising networks, which collect information about a person or an IP address from numerous websites, create a profile and target ads based on that profile," it said. "As an exception to the general rule requiring opt in consent for third-party information sharing, opt-out consent would apply to sharing of an individual’s information with a third-party ad network if there is a clear, easy-to-find link to a webpage for the ad network that allows a person to edit his or her profile and, if he chooses, to opt out of having a profile, provided that the ad network does not share the individual’s information with anyone else.

"Companies may collect information about individuals unless an individual affirmatively opts out of that collection," said Boucher. "Opt-out consent also applies when a website relies upon services delivered by another party to effectuate a first party transaction, such as the serving of ads on that website."

“I have been working for years to enact meaningful privacy protection legislation and this draft is advancing the process," said Stearns. "While I may not support everything in the current draft bill, it is important to get the input of stakeholders."

"Our goal is to encourage greater levels of electronic commerce by providing to Internet users the assurance that their experience online will be more secure," said Boucher. "That greater sense of privacy protection will be particularly important in encouraging the trend toward the cloud computing."

Boucher sought to reassure advertisers that the legislation is not designed to stop them using data to show what they think are the right adverts to the most profitable audience.

"Online advertising supports much of the commercial content, applications and services that are available on the Internet today without charge, and this legislation will not disrupt this well established and successful business model. It simply extends to consumers important baseline privacy protections,” he said.

UK consumer regulator the Office of Fair Trading is conducting an investigation into whether it needs to take action to protect consumers over the use of their information to decide what ads they see.

The European Union's then-Consumer Affairs Commissioner said last year that she, too, would monitor behavioural ad systems:

"If we fail to see an adequate response to consumers’ concerns on the issue of data collection and profiling, as a regulator, we will not shy away from our duties nor wait for a cataclysm to wake us up," warned Meglena Kuneva last year.

Copyright © 2010, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
Singapore decides 'three strikes' laws are too intrusive
When even a prurient island nation thinks an idea is dodgy it has problems
Banks slap Olympus with £160 MEEELLION lawsuit
Scandal hit camera maker just can't shake off its past
France bans managers from contacting workers outside business hours
«Email? Mais non ... il est plus tard que six heures du soir!»
Reprieve for Weev: Court disowns AT&T hacker's conviction
Appeals court strikes down landmark sentence
US taxman blows Win XP deadline, must now spend millions on custom support
Gov't IT likened to 'a Model T with a lot of things on top of it'
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.