Momentum seems to be growing for a federal electronic data privacy law that would pre-empt the 44 state data breach notification laws already on the books and is more in line with European data privacy laws.
“If you work for an information broker, you definitely should be paying attention to this,” said Miriam Wugmeister, who chairs the global privacy and data security practice at law firm Morrison & Foerster. “But if you’re just a CIO at a national retail chain or at a financial institution, then this really is not that different.”
With this important caveat: The bill, like laws in states such as Massachusetts and Oregon, is moving toward what Wugmeister calls the next evolution in data privacy — a preventative approach with specific requirements for protecting data in the first place.
The proposed federal electronic data privacy bill, known as H.R. 2221, was introduced in April with little fanfare but is generating a bit more buzz in the wake of recent hearings on Capitol Hill.
Last week, representatives of the nation’s biggest brokers of online information — Google, Yahoo — appeared before House subcommittees on communication and consumer protection to answer questions about behavioral targeting, the tracking of users’ online behavior for various kinds of gain. Debate focused on the conflict between the individual’s right to privacy online and the advertising industry’s ability to make money.
Privacy advocates argued that most Internet users don’t understand the extent to which their online behavior is being monitored or how much electronic personal identifying information (PII) is being collected by large data brokers, such as Yahoo and Google. Nor are users aware of their ability to opt out of these data collection systems. Therefore, users need regulations that would require their consent to be tracked — or an opt-in (not opt-out) provision.
Advocates for the advertising industry argued these provisions would upend an industry already seriously weakened by the economic recession.
Another aspect of the law, if passed, would strengthen consumers’ ability to access and correct any personal information collected by businesses.
“In the U.S., unlike in the European Union, we don’t typically have the right to call up Amazon and say, ‘Tell me everything about me,’” Wugmeister said.
For CIOs at businesses that do not collect PII for sale to others, Wugmeister has two pieces of advice.
“I were a CIO, I would read Massachusetts,” she said. The law is among the nation’s most stringent for data protection and is proactive, requiring a comprehensive written security program and employee training. It also applies to any business, in or out of the state, that collects personal identifying information from a Massachusetts resident.
“The other thing you could read is the federal safeguards rule of the FTC,” she said. The rules are forming the consensus used by enforcement authorities, including the drafters of this bill, she said.
As for the increasingly anxious discourse on online behavioral tracking by data brokers, Wugmeister is a bit more mystified. “Those profiles of us for our offline behavior already exist. Every time you walk with your cell phone you are constantly transmitting your location. Your cell phone carrier has a log of every place you’ve been. Every time you use your credit card, there is a record of every place you’ve been and every place you’ve shopped.” In other words, Big Brother is already here.
In the coming months, I’ll be writing a lot more about H.R. 2221 and other IT compliance and security in weekly news articles for SearchCompliance.com. Let me know what compliance issues you’re grappling with and what kinds of information would be useful.