Privacy Protections

Consumer groups say proposed privacy bill is flawed

A long-awaited draft of a Congressional bill would extend privacy protections both on the Internet and off line, but privacy advocates said the bill did not go far enough in protecting consumers.

The draft legislation was released Tuesday by Representatives Rick Boucher, Democrat of Virginia, and Cliff Stearns, Republican of Florida. Mr. Boucher is the chairman of the House subcommittee on communications, technology and the Internet, and Mr. Stearns is the panel’s ranking minority member. The two lawmakers will collect comments on the draft, and hope to have formal legislation introduced within a month or so, Mr. Boucher said in an interview.

Consumer groups have been fighting what they see as the prevalence of online tracking, where online advertising is selected for a certain user — perhaps because he once visited a company's home page, perhaps because he showed an interest in automobiles or baby products, or perhaps because he is a middle-aged man.

As opposition has intensified, companies like Google and Yahoo have adjusted their own privacy policies in response to consumer concern. Industry groups, while arguing that free Internet content depends on this type of sophisticated advertising, have issued their own self-regulatory principles.

This, though, "would be the first law that applies generally to businesses requiring privacy notice, particularly in the offline space," said Lisa J. Sotto, a partner at Hunton & Williams who heads the law firm’s privacy and information management practice. "This bill represents a sea change."

Right now, Ms. Sotto said, there is no national legislation governing how companies tell consumers that they are collecting data, but companies do post privacy notices because certain state laws require it.

The proposed bill would expand what information should be considered confidential. It would require companies to post clear and understandable privacy notices when they collected information. Such information could range from health or financial data to any unique identifier, including a customer identification number, a user’s race or sexual orientation, the user’s precise location or any preference profile the user has filled out. It could also include an Internet Protocol address, the numerical address assigned to each computer connecting to the Internet that many companies use now to aim particular messages at users, which the companies argue is not personally identifiable.

Essentially, companies would need to alert consumers whenever any information the companies are collecting can identify a single person or a single computer or device.

"This bill, were it to pass, would get us closer to the more stringent privacy regimes that we see in other countries," Ms. Sotto said.

Significantly, the bill also requires companies to advise consumers even when they are collecting any of that information off line, which could include data houses and direct marketers.

The online and off-line privacy notices would have to include a description of the information being collected, why the company was collecting that information, how that information might be linked or combined with other data about the individual or computer, and why the company would disclose that information and to what types of other companies, among other requirements.

Mike Zaneis, vice president for public policy for the trade group Interactive Advertising Bureau, said that some of these definitions and requirements were "overly broad." For instance, including an I.P. address in covered information would be a huge "change to existing laws here in the U.S. and would potentially have widespread implications."

Mr. Boucher said that "our goal is to enhance electronic commerce — we are not seeking in any way to disable targeted advertising."

He added, "We are largely tracking the best business practices that exist among the most consumer-oriented companies today."

In a conference call with reporters, representatives from privacy and consumer groups said the draft included several loopholes that might let companies track consumers too closely.

There was an exemption from the disclosure requirements for what was called "operational" (defined as "a purpose reasonably necessary for the operation" of the company) or "transactional" (defined as "a purpose necessary for effecting, administering or enforcing" a transaction between company and customer). Those exceptions were "troubling," said Peter Eckersley, senior staff technologist for the Electronic Frontier Foundation, one of these groups.

Privacy advocates said they were disappointed that this approach relied on a privacy policy, which few site visitors actually read.