Insights

Today's Trends in Credit Regulation

Senators McCain and Kerry Introduce Sweeping Privacy Legislation
By Meghan S. Musselman

On April 12, 2011, Senators John Kerry (D-Mass.) and John McCain (R-Ariz.) introduced the Commercial Privacy Bill of Rights Act of 2011. The bill – the first major privacy measure introduced in the 112th Congress – represents an ongoing effort by federal legislators to expand the protection of individuals’ personal information.

Generally, the proposed Act would regulate the collection, use, storage and transfer of individual information. The bill would also impose safeguarding and privacy notice obligations similar to those currently in place under the Gramm-Leach-Bliley Act (“GLB”), but would have much broader applicability. But the proposed Act goes beyond the current scope of GLB’s privacy protections, by requiring entities to create managerial accountability and to give individuals access to their information, for example.

The Act would apply to most entities subject to regulation by the Federal Trade Commission (“FTC”), but not to depository institutions. Further, the Act would apply only to entities that collect, use, transfer and store covered information concerning 5,000 individuals in a 12-month period.

The Act would establish two categories of individual information – “covered information” and “sensitive personal information.” Covered information is much broader and, as explained below, is subject to an opt-out mechanism. Covered information includes, for example, an individual’s name, address, social security number, and biometric data unique to individuals based upon one or more intrinsic physical or behavioral traits. Covered information can also include information such as an individual’s date of birth or geographic location when that information is used in connection with other covered information like the individual’s name, address, or social security number.

Sensitive personal information is a subset of covered information subject to heightened protection in the form of an opt-in mechanism. Sensitive personal information means personally identifiable information that, if lost, compromised, or disclosed without authorization either alone or with other information, carries a significant risk of economic or physical harm. The Act does not define “significant risk of economic or physical harm” and the potential for great uncertainty exists in determining whether covered information is sensitive personal information subject to an opt-in requirement. Sensitive personal information also includes information related to an individual’s medical condition or health record, or religious affiliation.

The bill would require all covered entities to maintain a comprehensive information privacy program and to protect covered information that they collect and maintain. Covered entities must also establish managerial accountability for the adoption and implementation of policies required under the Act. Further, covered entities must establish a process to respond to inquiries from individuals about the collection, use, transfer and storage of covered information.

Covered entities would need to provide individuals with a privacy notice explaining how the entity collects, uses, transfers and stores customer information, and to notify individuals before the entity makes a material change to any of those practices.

Entities would have to give individuals an opportunity to opt-out of any use of their covered information, as well as an opportunity to opt-out of the use of their information for behavioral advertising or marketing. With respect to sensitive personal information, an entity must obtain an opt-in from the consumer before using that information. An opt-in is also required if an entity intends to use or transfer covered information, there has been a material change in the entity’s stated practices with respect to that information, and the use or transfer presents a risk of economic or physical harm to an individual. The Act includes some exemptions from the opt-out and opt-in requirements, for example, to process or service a transaction, and for service providers. However, the Act clearly states that the covered entity retains liability for all information transferred to a service provider.

Entities must also give individuals a means to access their information and an opportunity to correct any inaccurate information the entity maintains. Further, if an entity enters bankruptcy, or if an individual requests the termination of a service with the entity, the individual can request that the entity render certain covered information not personally identifiable.

The proposed Act requires entities to minimize the collection and use of covered information and to ensure the accuracy of information collected and maintained.

The proposed Act directs the FTC to promulgate implementing regulations and gives the FTC authority to enforce all provisions of the Act and seek civil penalties. The Act also authorizes state attorneys general to enforce the provisions of the Act on behalf of the residents of the state. The Act specifically provides that there is no private right of action. The Act also requires the FTC to establish a safe harbor program for certain provisions of the Act, including the opt-out mechanism for behavioral and location-based advertising.

Finally, the proposed Act provides for a qualified exemption for entities subject to other federal privacy laws. The exemption reads as follows: “If a person is subject to a provision of this Act and a provision of a Federal privacy law described in subsection (d), such provision of this Act shall not apply to such person to the extent that such provision of Federal privacy law applies to such person.” Subsection (d) lists a number of federal privacy laws, including GLB. It does not appear that this section provides a blanket exemption for entities subject to GLB. Rather, to the extent a provision of GLB and the Act overlap, the entity would follow GLB. However, where the Act imposes a new requirement that goes beyond GLB, it appears that the entity would have to comply with the Act.

The Act’s effect, then, appears to be quite broad. All non-depository financial institutions would have to comply with all requirements of the Act that go beyond GLB, including the requirements to provide individuals with access to their information and the requirement to ensure the accuracy of information maintained.

Although federal legislators have been vocal advocates of increased privacy regulation in recent years, we have not yet seen the enactment of any significant recent federal privacy legislation. In the 111th Congress, financial reform and healthcare dominated the legislative agenda. Even though Congress is still dealing with the aftermath of those two laws, there could be an opportunity for privacy legislation to move this year.

Meghan S. Musselman is a partner in the Maryland office of Hudson Cook, LLP. Meghan can be reached at (410) 865-5403 or by email at mmusselman@hudco.com.

Article Archive

2022   2021   2020   2019   2018   2017   2016   2015   2014   2013   2012   2011   2010   2009