Online privacy groups, including the Center for Digital Democracy and Consumer Federation of America, have called on House Subcommittee chairman Rick Boucher (D-Va.) and ranking member Cliff Stearns (D-Fla.) to toughen provisions in a proposed privacy bill.
Boucher released a draft of the bill and sought comment from stakeholders on it. The thrust of their comments was that the draft was a good start, but still needs work.
"Reps. Boucher and Stearns have launched an important debate that must lead to real privacy safeguards for consumers," said Jeff Chester, executive director of CDD. For their part, the consumer advocacy groups called for "much stronger" provisions, including expanding the definition of sensitive information and mandating an opt-in regime for the data collection.
But they also argue that the bill is too strong in preempting state and local regulations on data use and
disclosure. "This is incredibly broad and could block existing or new measures on the state level to limit the
use of certain types of information, such as Social Security numbers, to notify consumers of data breaches, to protect health data, and to extend other needed privacy protections to consumers," they say in a letter to Boucher.
They also want the bill to include "fair information practice" principles like not collecting more data than
necessary, limiting how long it can be retained and the ability to access and correct data.
The groups argue that the definition of sensitive information should be expanded, for example to broaden the definition beyond medical records to other health-related information -- say, a Web surfer's search for information on cancer, which they argue could then be used to make a decision about whether to employ or insure someone.
The bill as drafted would adopt a combination opt-in/opt-out system for data collection, depending on the data being collected. It would require Web users to opt in to collection of sensitive information relating to financial and medical records, sexual orientation, "precise geographic locations, or social security numbers.
It would also mandate opt-in for sharing that information with unaffiliated third parties, other than for an operational or transactional purpose.
CDD and the others claim they understand having a carve-out from opt-in for operational and transactional data, but maintain the definitions should be narrowed and limits put on how long that data can be retained.
The bill would allow the collection of other types of information about individuals unless they affirmatively opt out, but it would require companies that collect personally identifiable information to conspicuously and clearly make that fact known.
