The Commercial Privacy Bill of Rights Act of 2011 is a very important departure from the usual Congressional attempts at putting rules on the Internet in that it avoids two big traps: First, it doesn’t define specific technical standards in the rules that it attempts to impose on Internet enterprises and users. Second, the bill was developed with the help of the industry to create a law that would both protect users of the Internet and also be something that legitimate Web companies could implement relatively easily without having a big negative impact on their operations.
This bill, written by U.S. Senators John Kerry (D-Massachusetts) and John McCain (R-Arizona), differs from proposed “Do Not Track” legislation in that it avoids defining a specific technical standard, such as the Do Not Track flag offered by some browsers. Instead, it attempts to regulate a business practice that has been shown to be badly needed.
Basically, the new law, assuming this legislation eventually passes in both houses of Congress, would make it illegal for companies to collect private information on their Websites without explicit permission from the person from whom the information is being collected. In addition, it would explain to users what was being done with the information, how it would be used, who would use it and what would be done with it in the future.
The result of the new law, if passed, is that companies would be allowed to market to consumers, but the consumers would retain control of their information. It is, in general, much more flexible than the Do Not Track feature recommended by the Federal Trade Commission, since it allows consumers to decide on a case-by-case basis what will happen to their information on each site they visit. With the provisions in this bill, it will effectively impose a Do Not Track capability without the need for a specific browser feature. In addition, it will work with browsers that don’t have that feature.
The consumer-advocacy and privacy groups that oppose the Kerry-McCain bill are being short-sighted. The problem with demanding that browsers or Websites use a specific technology is that in the world of the Internet, the technology is changing constantly. It’s entirely possible-likely even-that Do Not Track will be overcome by changes in technology shortly after it’s imposed. The DNT flag in the browser will need to change to meet other needs, effectively either preventing browser development or making the Do Not Track issue irrelevant.
Kerry-McCain Web Privacy Bill a Step in the Right Direction
title=Privacy Bill Lacks Enforcement Power}
On the other hand, the privacy groups do have one point in their favor. Despite the fact that they’re wrong about Do Not Track, they’re right in not liking the fact that the bill gives consumers no means by which to hold companies accountable for violating the law. Without a penalty for ignoring the law, the rules effectively have no teeth. This means that while the bill may give consumers certain rights, there is no way to actually ensure that they get those rights. This is a problem.
In fact, it’s a big enough problem that, as well-meaning as the Kerry-McCain bill is, that deficiency should be changed before the Senate gets to vote on it. To accomplish that, the Senators need to make clear in the bill what recourse consumers have when their rights are violated. Or they need to add some kind of enforcement mechanism that’s realistically available to consumers. Right now, the draft of the bill simply calls on state attorneys general or the Federal Trade Commission to enforce it.
While there are civil penalties included in the bill, it currently does not specify what those penalties might be except that the maximum penalty can’t exceed $3 million. There’s also a daily maximum penalty of $16,500, but that’s for not being in compliance. For a large Internet company, the amount is basically chicken feed.
As a result, someone who believes that their personal information was used has to either convince their state attorney general or the FTC to do something about it. The FTC has been somewhat effective in shutting down junk phone calls through the Do Not Call list, but the process is excruciatingly slow. Depending on the state attorney general involved, it’s hard to see how that road would be much more effective.
The bottom line is that while this bill is probably a very good idea, there should be more recourse for individuals who suffer abuses by unethical, or simply sloppy, Internet commerce companies. As it stands, an individual may never see anything, or have anything changed unless they have the wherewithal to force action on the government.
Still, with a few more teeth, the Kerry-McCain bill is far better than the weak and bound-to-fail attempts that have gone before it. These senators are on the right track. They just need to make sure that their legislation stays on the right track and actually has some effect once it’s signed into law.