Governance & Risk Management , Privacy

Draft Bill Defines Net Privacy Standards

Sponsor: Move to Cloud Computing Increases Need for Privacy Protections
Draft Bill Defines Net Privacy Standards
Draft legislation began circulating this week through the corridors of the Capitol complex that would establish - in the words of its sponsors - meaningful privacy protections for Internet users, which they say is particularly important as businesses begin to adopt cloud computing.

The proposed bill - offered by the chairman and ranking Republican on the House Energy Subcommittee on Communications, Technology and the Internet, Reps. Rick Boucher of Virginia and Cliff Stearns of Florida - sets rules on disclosure of privacy practices, collection and use of information and disclosure of information to unaffiliated third parties.

"Our goal is to encourage greater levels of electronic commerce by providing to Internet users the assurance that their experience online will be more secure," Boucher (pictured) said in a statement that accompanied release of the draft bill. "That greater sense of privacy protection will be particularly important in encouraging the trend toward the cloud computing."

Provisions of the draft legislation. according to Boucher, include:

    Disclosure of Privacy Practices: Any company that collects personally identifiable information about individuals must conspicuously display a clearly-written, understandable privacy policy that explains how information about individuals is collected, used and disclosed.

    Collection and use of information: As a general rule, companies may collect information about individuals unless an individual affirmatively opts out of that collection. Opt-out consent also applies when a website relies upon services delivered by another party to effectuate a first party transaction, such as the serving of ads on that website.

    No consent is required to collect and use operational or transactional data-the routine web logs or session cookies that are necessary for the functioning of the website-or to use aggregate data or data that has been rendered anonymous.

    Companies need an individual's express opt-in consent to knowingly collect sensitive information about an individual, including information that relates to an individual's medical records, financial accounts, Social Security number, sexual orientation, government-issued identifiers and precise geographic location information.

    Disclosure of Information to Unaffiliated Parties: An individual has a reasonable expectation that a company will not share that person's information with unrelated third parties. If a company wants to share an individual's personally-identifiable information with unaffiliated third parties other than for an operational or transactional purpose, the individual must grant affirmative permission for that sharing.

    Many websites work with third-party advertising networks, which collect information about a person or an IP address from numerous websites, create a profile and target ads based on that profile. The bill creates an exception to the opt-in consent requirement for third-party information sharing by applying opt-out consent to the sharing of an individual's information with a third-party ad network if there is a clear, easy-to-find link to a webpage for the ad network that allows a person to edit his or her profile, and if he chooses, to opt out of having a profile, provided that the ad network does not share the individual's information with anyone else.

    Implementation and Enforcement: The Federal Trade Commission would adopt rules to implement and enforce the measure. States may also enforce the FTC's rules through State attorneys general or State consumer protection agencies.

Boucher characterized this legislation as a "timely and essential measure" that reflects the broad consensus among the lawmakers circulating the draft bill.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.