Sens. John McCain and John Kerry introduced a privacy bill today that aims to protect consumers' data online, a legislative move that was designed to centralize various privacy efforts already under way from industry trade groups, government regulators and the Obama administration. In recent weeks, President Obama had called on the Congress to establish a digital privacy law. The online ad industry, meanwhile, had mounted its own self-regulatory program in the past year.
The Commercial Privacy Bill of Rights Act would "keep our private data safe by laying down fair information practices," Mr. Kerry said, and would "ensure that businesses collecting personal information will secure that information and will allow those people to say whether or not they want that information used."
"All of this information sharing can be good to customers -- we acknowledge that," the Massachusetts Democrat said in a short press conference announcing the bill. "The data deluge is worrying at the same time."
In many ways, the bill codifies much of the current practice already under way between consumers and online businesses from purchasing products on eBay to reading and watching ad-supported web content.
But it also outlines new oversight for the Federal Trade Commission, enumerates new provisions -- both for consumers and businesses -- and offers some implicit protections for social networks such as Facebook.
The proposed legislation requires companies to provide clear notice about what information is being collected and for what purposes. There is a section that protects Facebook and like enterprises under the "Established Business Relationships" section, which would allow the social network to continue to collect "likes" that appear on thousands of sites across the web. Despite Facebook's advantage as a first-party company to which users have willingly offered up their information, its "like" buttons could be construed as third-party data. According to a number of Washington insiders, the Palo Alto, Calif.-based company sent an army of lawyers to the offices of Messrs. Kerry and McCain, the Arizona Republican, to ask for those terms.
For other companies that have already collected data on users -- which applies in almost every case -- they have to offer a "robust, clear, and conspicuous mechanism for opt-out" to users, a requirement that could become a sticking point for the ad industry.
"I don't know what 'robust' means," said Stuart Ingis, lead counsel to industry coalition Digital Advertising Alliance, which is in charge of the self-regulatory program. "To me, it's like 'medium rare' -- it's not medium, and it's not rare."
The industry's self-regulatory program is designed around giving consumers the ability to opt-out of being targeted, as opposed to asking people to opt-in before being targeted, which many consumer advocates have long sought. According to people familiar with the matter, a very recent version of the bill required marketers to wait for consumers to opt in before collecting data. The language was changed at the last minute as a concession to the industry, but as Mr. Ingis points out, some think the rule's requirement is phrased too vaguely to have clear and consistent meaning.
"We think the recognition of 'opt out' being the right standard is right, but adding new terms of art doesn't make sense," he said.
The privacy bill, however, does take into account the existing self-regulatory program by including a Safe Harbor provision, which allows companies to design their own privacy rules as long as they are in agreement with the bill's basic tenets. Participating companies could avoid some of the bill's requirements, but they would have to be certified by the FTC, another sticking point for the industry.
"Their proposal provides the FTC with far too much discretion in drafting implementing rules," said Mike Zanies, head of public policy for the Interactive Advertising Bureau, who also pointed out that the bill would also impose strict new requirements on first-party sites to allow their users to delete data collected by that site.
In a statement, the FTC said, "It's terrific that we're seeing so much Congressional interest in protecting consumer privacy, and that Senators Kerry and McCain are working in a bipartisan matter on this legislation. We look forward to working with Congress as the bill moves forward."
Some consumer advocates found the bill lacking as well. "The bill simply sanctions the range of current practices going on," said Jeffrey Chester, who heads up the Center for Digital Democracy. "The [legislators] say it's a best practices act. I think it's the worst practices act. It puts the control of the process in the hands of the industry."
For the moment, the bill is one of the few on the docket with bipartisan support, and given the Obama administration's recent push for a privacy law, insiders say it has a good chance of passing. But that also means that it almost certainly will not emerge from the congressional committee process in the same form that it was presented today.
"It's going to get watered down," one person familiar with the process said. "If we don't start with the highest possible standard, it's going to turn into a digital Dorian Gray."