Sen. Hollings, D-S.C., is moving to bring the legislation forward, holding a hearing April 25 and promising to speed it to the Senate floor. The law would require companies to make data gathered online available for inspection; get "opt in" approval when collecting "sensitive" information; set specific times when privacy notices must come up; and let attorneys sue companies for release of "sensitive" violations.
"This sucks big time," said Jim Pitts, executive director of the Financial Services Coordinating Council, which includes major insurance, banking and securities trade groups. Mr. Pitts warned the legislation would create different legal situations for collecting the exact same information online and off.
Mark Uncapher, senior VP and counsel of the Information Technology Association of America, which includes major technology companies, warned the legislation could have the opposite effect it intends. Instead of making the Internet safer, providing ensured security to consumers and fueling further growth, he warned the access requirement could let hackers or ex-spouses get information and send companies scurrying from the Internet because of increasing costs.
Sen. Hollings introduced a privacy bill last year with a broad opt out requirement; it never made it out of committee. He described the new version as better tailored while still offering consumers assurances. Some fellow Commerce Committee members who opposed the bill last year are supporting this year's bill.
"Privacy fears are stifling the development and expansion of the Internet as an engine of economic growth," he said in statement.
Applying to commercial Web sites and Internet providers and only to personally identifiable information, the legislation would create two degrees of disclosures. One would be for nonsensitive information and another for sensitive information, described as information on health, race or ethnicity, party affiliation, religious beliefs, sexual orientation, Social Security number or financial information.
Companies wanting nonsensitive information would have to provide disclosure at an early point, but those wanting sensitive information would have to get opt-in permission. A company that provided sensitive information to others could be sued by state attorneys general or privately for actual damages or $5,000 per person per instance.
Some privacy critics praised the legislation last week.
"It is a real important step," said Paula Bruening, a staff attorney for the Center for Democracy and Technology.
Marketers warned of problems. Among them: how data access would be provided when data isn't collected centrally, how information shared between company units would be treated and what constitutes "harm" when sensitive information is released. Aides to Sen. Hollings said last week they expected to leave many implementing details to the Federal Trade Commission and other agencies.