April 12, 2011

Senator John Kerry, Chairman

Subcommittee on Communications, Technology, and the Internet

Senate Committee on Commerce, Science and Transportation

218 Russell Bldg., Second Floor 
Washington D.C. 20510 

Senator John McCain

241 Russell Senate Office Building
Washington, DC 20510

RE: Commercial Privacy Bill of Rights Act of 2011

Dear Senator Kerry and Senator McCain:

We are writing to thank you for your leadership on consumer privacy through the introduction of the “Commercial Privacy Bill of Rights Act of 2011.”  We wish to express our support for your efforts to provide consumers with better control over the way their information is collected, stored, used and shared online. This bill represents an important step towards the adoption of a comprehensive online privacy law based on the Fair Information Practice Principles (FIPPs). We believe that the approach adopted in the bill is balanced and pragmatic, and we hope to continue working with you to ensure that consumers’ privacy rights are protected and strengthened.

For the first time, all covered entities would be required to provide consumers with a clear and conspicuous means to opt out of all unauthorized uses of covered information, and also to offer a robust, clear and conspicuous opt-out for the sharing of covered information with third parties for behavioral advertising purposes. Consumers who do not wish to have their information used or shared online will be able to indicate their preferences to websites and advertisers, who would be required by law to respect those choices. We believe this is an improvement over current industry self-regulatory initiatives, which hinge on companies’ voluntary participation. We hope that as the bill moves along, legislators will also ensure that consumer’s choices are persistent and enduring. Consumers should not have to opt out again and again, every time they clear the cookies on their machines.

We are pleased that the bill offers heightened protections for sensitive personally identifiable information (SPII), such as information related to a medical condition and certain financial information. The collection, use and dissemination of sensitive consumer data is one of the greatest causes of concern in today’s online data tracking environment. Companies can easily access the most intimate details about individuals and compile them into comprehensive profiles that can then be sold to the highest bidder, without the consumer’s permission or control. This bill gives some power back to consumers by requiring companies to obtain affirmative opt-in consent before the collection, use or transfer of SPII, with only a few very carefully defined exceptions. We hope that the definition of “sensitive” could be broadened somewhat to include, for example, information related to sexual orientation and race.

 We also support the definition of “covered information” in the bill, especially the inclusion of “unique identifier information” which is defined as a unique persistent identifier associated with an individual or a networked device. With the use of persistent identifiers, the distinction between PII and supposedly anonymous or de-identified information (non-PII) is increasingly losing its significance. Companies no longer need to know consumers’ names or social security numbers when tracking their online activities: disparate pieces of online and offline information can easily be combined to create detailed profiles that can be linked to specific users. The bill acknowledges this technological development and pushes companies to put in place privacy protections not only for data that is personally identifiable on its face, but also for data that, although seemingly anonymous, can easily be used in conjunction with other pieces of data to identify an individual. In addition, the bill directly
prohibits the sharing of information with third parties, unless they agree not to combine information that is non-PII with other information for the purposes of identifying the individual.

We agree that the Federal Trade Commission should play an active role in the enforcement of this act, especially with regards to the review and approval of harbor program. The safe harbor program would allow companies to propose initiatives that implement the requirements of the act. The FTC will review applications for safe harbor programs and grant or deny approval based on the program’s capacity to measure up to the bill’s requirements. Once approved, all safe harbor programs must submit annual reviews to the FTC. Should an entity claim it is following a safe harbor program when in fact it is not, both the FTC and state attorneys general can initiate an enforcement action against that entity and seek civil damages. These provisions signal that bad actors that say one thing but do another will be punished.

We are concerned, however, about the bill’s current definition of “third party.” As it currently stands, the bill grants “first party” status to all affiliates, whether or not the consumer would have reason to know that such relationships exist. We are concerned that this definition could allow unrestricted sharing of all consumer data, sensitive and non-sensitive, among hundreds of “related” entities. We would propose that the distinction between “first parties” and “third parties” hinge more on reasonable consumer expectation that could be based, for example, on common branding between the affiliates.

We would also encourage that some additional protections be added for sensitive online users, such as adolescents. Teens between the ages of 13 and 17 make up a large portion of Internet users today. At the same time, they are more vulnerable to inappropriate uses of their personal information online, especially because many of them do not understand the potentially detrimental consequences of freely sharing personal information. Sites aimed at adolescents, for example, should provide greater controls, transparency, and limits on information collection.

Finally, we strongly encourage you to include the establishment of a universal and persistent “Do Not Track” mechanism in any final comprehensive privacy bill. Such a mechanism would ensure that consumers would not have to exercise choices on a company-by-company or safe harbor-by-safe harbor basis; instead, consumers could make one simple, uniform and persistent choice to opt out of behavioral tracking if they wished to do so.

In closing, thank you again for moving forward on such an important issue.  We are committed to working with you and your staff on this critical issue in the weeks ahead.

Sincerely,

Ioana Rusu

Regulatory Counsel

Consumers Union