House Privacy Hearing Recap

The House The Subcommittee on Commerce, Trade, and Consumer Protection held a legislative hearing on July 22. The hearing examined H.R. 5777, the BEST PRACTICES Act, introduced by Rep Bobby Rush (D-IL), and a discussion draft, released by Reps Rick Boucher (D-VA) and Cliff Stearns (R-FL), to require notice to and consent of an individual prior to the collection and disclosure of certain personal information relating to that individual.

Consumer Protection Subcommittee Chairman Rush said that he knows there is no free lunch and that online advertising often pays for that lunch, but that he thought it was imperative before the August recess to address online privacy concerns and ways to craft safeguards to address foreseeable violations of consumer privacy, suggesting those isolations should not be part of that lunch tab.

The Federal Trade Commission testified about FTC efforts to protect consumer privacy and commented on legislative proposals to improve privacy protections. David Vladeck, Director of the FTC's Bureau of Consumer Protection, described the FTC's law enforcement actions to hold companies accountable for protecting consumer privacy, focusing on data security, identity theft, children's privacy, and protecting consumers from intrusive spam, spyware, and telemarketing. The testimony noted that the FTC has brought 28 actions charging businesses with failing to protect consumers' personal information and 15 actions charging website operators with collecting information from children without parents' consent. The FTC also has brought 15 spyware cases and dozens of actions challenging illegal spam, including an action against a rogue Internet Service Provider that resulted in a temporary 30 percent drop in spam worldwide. Finally, the FTC has brought 64 actions alleging violations of the Do Not Call Rule, resulting in violators paying almost $40 million in civil penalties and giving up nearly $18 million, including consumer redress. The testimony also described the FTC's consumer and business education efforts, cross-border privacy and international enforcement work, and research and policymaking on emerging technology issues, including privacy roundtables held in 2009-10.

Edmund Mierzwinski of U.S. PIRG argued that the bills "don't address the massive growth in data collection," and "largely sanction the existing and worsening regime of ongoing collection, analysis and use of off-and online data, through the industry-preferred regime of notice and choice." He suggested the bill's provisions were essentially being grafted on.

On the other side, industry bill watchers are concerned that companies that violate the notice/consent policies could be fined $1,000 per violation up to $5 million, though they like the proposal of a "safe harbor" for companies that agree to self-regulation overseen by the FTC.