Despite overwhelming concerns about the threat of terrorism, the unethical conduct of corporate America, and the recent floundering of Wall Street, privacy remains an important issue among consumers in the United States and worldwide.
Key committee members from both chambers of the U.S. Congress have introduced privacy legislation. Sen. Ernest Hollings (D-S.C.), chairman of the Senate Commerce Committee, introduced S.2201, the Online Personal Privacy Act, on April 18. The Senate Commerce Science and Transportation Committee held hearings shortly after its introduction and reported the bill with amendments on May 17.
Rep. Cliff Stearns (R-Fla.), chairman of the House Commerce Committee's Subcommittee on Consumers and the Internet, introduced H.R.4678, the Consumer Privacy Protection Act of 2002, on May 8. The bill is currently under consideration by the House Energy and Commerce Committee, as well as the House Committee on International Relations. No hearings have been held on the H.R.4678.
If passed, S.2201 would require records managers to protect databases against unauthorized use and guarantee that sensitive data not be collected and shared with third parties without explicit consumer permission.
Hollings' measure calls for a hybrid approach to privacy regulation. The bill seeks an "opt-in" approach, requiring businesses to obtain consumer consent to collect and disclose sensitive personal information such as political party, religious affiliation, and sexual orientation. For less-sensitive information such as name, address, and telephone number, businesses would be required to provide notice to "opt-out" of the collection of such data. It would require the Federal Trade Commission (FTC) to create regulations for new privacy requirements and to report annually on the progress of the law.
One of the most contentious items in the bill would allow consumers the right to sue if their personal information is mishandled or improperly collected from online transactions. Service providers also would be responsible for providing utilities for users to access their information, allowing them to delete or correct any personally identifiable information. This bill would supercede any state law or regulation regarding privacy and would apply to federal agencies so long as the regulations would not compromise law enforcement activities. Provisions of the legislation would apply only to online operations.
From a global viewpoint, passage of S.2201 would bring privacy laws in the United States closer to those of the European Union (EU) and might resolve the conflict regarding data transfer between the United States and the EU.
In April, the Commerce Committee held a hearing on S.2201. Panelists included Paul Misener, vice president of global public policy for Amazon.com, and John Dugan of Covington and Burling, a law firm representing the financial industry. Both witnesses shared the concerns of Sen. George Allen (R-Va.), citing that the legislation might be "premature." In his opening statement, Allen said, "I don't think we should discriminate against personally identifiable information with regard to the medium through which the information is collected." Dugan added that the bill could "cause some companies to avoid online operations altogether."
Other dissenters included Sen. John McCain (R-Ariz.) and Sen. Ron Wyden (D-Ore.). McCain opposed the provisions in the bill creating a right for consumers to sue for privacy violations, as well as potentially cumbersome requirements to permit customers to access their personal information. Wyden stated that the bill should include a "safe harbor" for companies that adopt self-regulatory privacy standards.
Two panelists in support of the legislation were Marc Rotenberg, executive director of the Electronic Privacy Information Center, and Frank Torres, legislative counsel for the Consumers Union. Torres said that the Consumers Union could support the bill with its combined "opt-in, opt-out" approach if the right to sue is preserved. …