United States: Internet Privacy Legislation Released In Congress

Originally published May 18, 2010

Keywords: internet, draft privacy legislation, Boucher, Stearns, interstate commerce, personal information, disclosure

On May 4, 2010, Representative Rick Boucher (D-VA), the Chairman of the House Subcommittee on Communications, Technology, and the Internet, and Cliff Stearns (R-FL), Ranking Republican Member of the Subcommittee, released a discussion draft of privacy legislation. The draft proposes comprehensive disclosure and consent requirements for information collected through the Internet and by other means. Representatives Boucher and Stearns are gathering feedback on the draft and plan to develop a revised bill in the next several weeks.

The draft legislation covers entities "engaged in interstate commerce that collect[] data containing covered information." This broad scope would potentially impact a wide range of activities, including retail, web publishing, search engines, Internet advertising, social networking, and Internet access. Covered information includes a range of personal information, such as including an individual's social security number, contact information, and email address. The scope also extends to certain financial information and preference profiles.

Disclosure and consent requirements form the core of the draft legislation. The bill requires display of detailed privacy-related notices and specifies protocols for gaining necessary consumer consents for the collection, use, and sharing of covered information. An individual must consent to the collection, use, or sharing of her information. The draft generally permits "opt-out" consent, but certain types of information and uses require express, affirmative "opt-in" consent.

Situations requiring affirmative consent include the collection or disclosure of "sensitive" covered information. This information includes medical and financial records, race, religion, sexual orientation, and "precise geolocation information." Affirmative consent is also required before a material change in an entity's privacy or disclosure practices. In addition, the draft prohibits the collection, use, or disclosure of information "about all or substantially all of an individual's online activity," for any purpose, without affirmative consent. Further, the bill prohibits "any provider of a product or service that uses location-based information" from disclosing such "information concerning the user of such product or service" without affirmative consent.

A user must also provide affirmative consent to permit disclosure of covered information to a third party. However, covered entities can share such information under certain circumstances with "service providers," which are entities that handle advertisements or provide other administrative functions for covered entities, such as data processing and customer support. In addition, with regard to individual managed preference profiles, the draft permits disclosure to an "advertisement network"—provided that the network does not disclose the information to another party without the affected individual's affirmative consent.

The draft includes a number of exceptions to its disclosure and consent requirements. These exceptions are intended to mitigate burdens on Internet commerce. For example, the draft exempts certain information from notice requirements when such information is collected for "operational" or "transactional" purposes. These purposes include improvement of an entity's products, services, or operations, and disclosure to affiliates that possess similar privacy policies and practices. Operational purposes, however, expressly exclude use or disclosure for marketing, advertising, or sales purposes. Additionally, the draft generally permits aggregation and disclosure of information rendered anonymous as long as such information cannot identify a specific individual or device.

Learn more about our Government Relations and Privacy & Security practices.

Visit us at www.mayerbrown.com.

Copyright 2010. Mayer Brown LLP, Mayer Brown International LLP, Mayer Brown JSM and/or Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. All rights reserved.

Mayer Brown is a global legal services organization comprising legal practices that are separate entities (the Mayer Brown Practices). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.