Saturday, February 19, 2011

Two privacy bills introduced by Representative Jackie Speier (D-Calif)

The Privacy and Information Security Blog reports that Representative Jackie Speier (D-Calif.) has introduced legislation to protect consumer privacy. The legislation is in the form of two bills, the "Do Not Track Me Online Act of 2011" (HR 654) and the "Financial Information Privacy Act of 2011" (HR 653). They are supported by several consumer and privacy advocate groups.

I have downloaded the bills, and have read all of HR 654. It's interesting. It requires a mechanism for people to opt out of data collection - a clear and straightforward mechanism. It also grants the FTC the right to exempt some practices from this bill. There are examples of what types of practices can be exempted, but this provision has some potential for abuse. It also has some teeth in it, although they seem a little limited, considering the size of some of the companies we're talking about. There are fines not to exceed $11,000/day of non-compliance with a maximum fine of $5,000,000. That's a lot of money, and would bankrupt a lot of companies. Other companies will feel the sting of widespread publication of their violation more than a mere $5,000,000.

This bill is a step in the right direction. Requiring that tracking be opt-in rather than opt-out would be better - if we can figure out a way to do that without destroying the internet as we know it. At this point most people are trained to expect free content. They don't realize that all of those 'free' sites they use are paid for by the information gathered about them and sold or used to target advertising. Kill that revenue stream and most, if not all, free sites would have to either shut down or charge for use. So until we can figure out a how to do that without killing the internet, Jackie Speier's "Do Not Track" bill is a good starting point to bring privacy to the internet.

I haven't read all of HR 653 yet, but I like the requirements for the opt-in form:

  • (e) CONSENT FORM REQUIREMENTS: An express consent form complies with the requirements of this subsection if it meets the following criteria:

  • (1) It is a separate document, not attached to any other document.
  • (2) It is dated and signed by the consumer.
  • (3) It clearly and conspicuously discloses that by signing, the consumer is consenting to the disclosure to nonaffiliated third parties of nonpublic personal information pertaining to the consumer.

  • (4) It clearly and conspicuously discloses:
  • (A) that the consent will remain in effect until revoked by the consumer;

    (B) that the consumer may revoke the consent at any time; and

    (C) the procedure for the consumer to revoke consent.

  • (5) It clearly and conspicuously informs the consumer that:
  • (A) the financial institution will maintain the form or a true and correct copy;

    (B) the consumer is entitled to a copy of the form upon request; and

    (C) the consumer may want to make a copy of the document for the consumer's records;

  • (6) Such other criteria as the Bureau of Consumer Financial Protection may determine appropriate.

HR 653 requires that financial institutions make data disclosure of customers to non-affiliated financial institutions an opt-in activity. Non-affiliated just means an institution that is not controlled by, controlling, or controlled by a common entity. For example, if two banks in Lubbock have different names and different leadership, but both are owned by the same company, they are affiliated. If one owns the other, they are affiliated. If both are independently owned and do not have any leaders in common, they are non-affiliated.

From what I've read, this bill is good news. It requires financial institutions to hold personal information in confidence unless specifically given permission to release it to third parties. Banks are not in danger of going out of business if they can't sell customers data. It is not a core part of their business model. This will be a win for people's right to control their data.

Selling customers information should never have become part of any companies business model, but it happened almost before anyone noticed with the growth of the web. These two bills are a good beginning at correcting that problem. Write your representative and tell him or her to support these bills.