On Tuesday May 4, a new privacy bill, known as the Boucher-Stearns Bill was released by Representative Rick Boucher, Democrat of Virginia, and Representative Cliff Stearns, Republican of Florida. If the bill were to become law, it would represent a dramatic shift in U.S. Privacy governance. To date, privacy regulation in the U.S. has generally fallen along industry lines such as (i) HIPAA’s regulation of a hospital’s use of medical information or (ii) Gramm Leach Bliley’s regulation of a bank’s use of an individual’s financial information. The Boucher-Stearns Bill represents the first non-industry specific federal privacy law moving American regulation of personal information closer to that of the European Union and other countries. The impact on businesses and online commerce would be significant by adding broad-based constraints on how businesses collect, use, and disclose information related to individuals.
In general the Boucher-Stearns Bill, among other things, (i) requires businesses to provide notice and receive consent from individuals prior to the collection of various pieces of information from such individuals, (ii) obligates businesses to establish reasonable procedures to assure the accuracy, privacy, and security of information collected, and (iii) empowers the Federal Trade Commission to implement regulations to enforce the bill’s provisions.
A few of the bill’s key provisions are highlighted below:
Notice and Consent
The bill would regulate a business’s collection, use, or disclosure of customer information. For example, the bill states that a "covered entity" is not permitted to collect, use, or disclose covered information related to an individual without (a) providing the individual with a privacy notice and (b) obtaining the individual’s consent. A covered entity is defined as "a person engaged in interstate commerce that collects data containing covered information." It is important to note that the bill would exclude from the definition of "covered entity" a business that collects covered information from fewer than 5000 individuals in any 12-month period, unless that business collected sensitive information (defined below).
Unlike the sector-specific U.S. privacy laws that have been enacted to date, the Boucher-Stearns Bill applies to a larger scope of information. "Covered information" to which the bill is applicable includes the following:
- first name or initial and last name;
- postal address;
- telephone or fax number;
- email address;
- unique biometric data including fingerprint or retina scan;
- Social Security number, tax identification number, passport number, state driver’s license number, or any other government-issued id;
- financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to access such accounts;
- unique persistent identifiers such as customer account numbers, IP addresses, and others;
- preference profile information; and
- any other information stored, used, or disclosed in connection with any covered information.
This list covers a wide range of different types of information making it hard to imagine that any business with an online presence does not collect at least some of this information, even if unintentionally.
Finally, the Boucher-Stearns Bill would require express affirmative consent from the individual (i) upon a material change to the businesses privacy notice, (ii) to collect sensitive information, (iii) to disclose covered information to unaffiliated parties, and (iv) to collect or disclose all or substantially all of an individual’s online activities. Sensitive Information is defined as medical information, race or ethnicity, sexual orientation, financial records, or precise geolocation information.
Privacy Notice Requirements
Supplementing the notice and consent requirements summarized above, the Boucher-Stearns Bill outlines specific content required to be included in a business’s privacy notice:
- identity of the covered entity;
- description of information collected and the methods used to collect such information;
- purpose for which the information is collected;
- method used to store the information;
- method used to merge or combine pieces of covered information with other information collected from unaffiliated parties;
- retention period for such information;
- method used to destroy such information;
- purpose for which the information may be disclosed;
- method offered to individuals to limit or prohibit certain uses or disclosures of information;
- method of an individuals access to such information;
- method of contacting covered entity with questions related to its use or collection of information;
- method of notification to individuals of material changes to the privacy notice;
- a hyperlink or listing of the Federal Trade Commission’s online consumer complain form or toll-free telephone number; and
- the effective date of the privacy notice.
Establishment of Safeguards
Finally, the Boucher-Stearns bill would require that businesses implement and maintain privacy and security programs that would (i) ensure the security, integrity, and confidentiality of covered information; (ii) protect against anticipated threats or hazards to the security or integrity of such information; (iii) protect against unauthorized access to and loss, misuse, alteration, or destruction of such information; and (iv) in the event of a security breach, prevent further harm and restore integrity to the information.