Senators John McCain and John Kerry recently introduced legislation in the United States Senate called the Commercial Privacy Bill of Rights Act that would require companies that “collect, use, transfers or stores” the personally identifiable information of 5,000 or more people within a 12 month period.
The proposed act is meant to supersede any state law regarding matters of privacy as it relates to business transactions, advertising, and what constitutes fair use of personally identifiable information (PII).
What Is Personally Identifiable Data (PII)?
- The first and last name of an individual
- Postal (residential) address
- E-mail address
- Telephone number or mobile number
- Social Security number
- Credit card number
- Unique identifier information that alone can be used to identify a specific individual
- “Biometric data,” including fingerprints and retina scans
Any of the following types of information are also included when stored with the aforementioned:
- Date of birth
- Birth certificate number
- Place of birth
- Unique identifier information “that alone cannot be used to identify a specific individual” [emphasis added]
- “Precise geographic location,” excluding general geographic information that can be derived from an IP address
- Information about an individual’s use of “voice services, regardless of the technology used”
What Is The Purpose of the Commercial Privacy Bill of Rights Act?
This piece of federal legislation is meant to preserve all pieces of your PII so that a third-party may not use a slice of your PII for marketing purposes.
The Commercial Privacy Bill of Rights Act of 2011 calls for an opt-out notice that must be “clear and conspicuous” to the consumer so the consumer can elect not to have his or her PII shared with, or used by, a third-party for “behavioral advertising or marketing.” In that same vein, the McCain-Kerry Commercial Privacy Bill of Rights also requires a “clear and conspicuous” opt-in provision for the end-user to give his or her consent that PII can be used by a third-party for marketing purposes. Some question whether the opt-out provision in the bill is necessary since the National Advertising Initiative already contains an opt-out provision.
This bill does include an exception for established business relationships.
How Will The Commercial Privacy Bill of Rights Act Affect Social Media Sites Like Facebook?
Evidently, Facebook sent its legal cavalry to Capitol Hill to ensure the “established business relationship” concept would make it into the language of the bill sponsored by McCain and Kerry. Facebook argued that when people signed up for their “service,” consumers were establishing a business relationship with them. By Facebook’s reasoning, they did not consider themselves to be a third party advertiser for other companies. Rather, Facebook contended they have a direct relationship with its users and, therefore, would not be in violation of the “unauthorized use” clauses of the legislation.
This means Facebook is allowed to use PII for target marketing goods and services that Facebook does not directly offer. With that said, Facebook can advertise the latest videogame to the teen who lists playing video games as one of his favorite activities or a specific brand of cookware to foodies.
The Commercial Privacy Bill of Rights Act, however, could make life more difficult for ad networks acting as third-party advertisers that rely on receiving PII to help sweeten their profits.