Senators John McCain and John Kerry recently introduced a piece of legislation called the Commercial Privacy Bill of Rights Act that would require companies that “collect, use, transfer or stores” the personally identifiable information of 5,000 or more people within a 12-month period.
The proposed act is meant to supersede any state law regarding matters of privacy as it relates to business transactions, advertising, and what constitutes fair use of personally identifiable information (PII).
What Is Personally Identifiable Data (PII)?
- The first and last name of an individual;
- Postal (residential) address;
- E-mail address;
- Telephone number or mobile number;
- Social Security number;
- Credit card number;
- Unique identifier information that alone can be used to identify a specific individual; and
- “Biometric data,” including fingerprints and retina scans.
Any of the following types of information are also included when stored with the aforementioned:
- Date of birth;
- Birth certificate number;
- Place of birth;
- Unique identifier information “that alone cannot be used to identify a specific individual” [emphasis added];
- “Precise geographic location,” excluding general geographic information that can be derived from an IP address; and
- Information about an individual’s use of “voice services, regardless of the technology used.”
What Is The Purpose of the Commercial Privacy Bill of Rights Act?
This piece of federal legislation is meant to preserve all pieces of your PII so that third-parties can’t use a slice of your PII for marketing purposes.
The Commercial Privacy Bill of Rights Act of 2011 calls for an opt-out notice that must be “clear and conspicuous” to the consumer so the consumer can elect not to have his or her PII shared with, or used by, a third-party for “behavioral advertising or marketing.” In that same vein, the McCain-Kerry Commercial Privacy Bill of Rights Act also requires a “clear and conspicuous” opt-in provision for the end-user to give his or her consent that PII can be used by a third-party for marketing purposes. Some folks question whether the bill’s opt-out provision is necessary since the National Advertising Initiative already contains an opt-out provision.
This bill does include an exception for established business relationships.
How Will The Commercial Privacy Bill of Rights Act Affect Social Media Sites Like Facebook?
Evidently, Facebook sent its legal cavalry to Capitol Hill to ensure the “established business relationship” clause would make it into the language of the bill. Facebook argued that when people signed up for their “service,” consumers were establishing a business relationship with the social media company. By Facebook’s reasoning, they did not consider themselves to be a third party advertiser for other companies. Rather, Facebook contended they have a direct relationship with its users and, therefore, would not be in violation of the “unauthorized use” clauses of the legislation.
This means Facebook is allowed to use PII to market goods and services that Facebook doesn’t directly offer. That said, Facebook can advertise the latest video game to a teen who lists playing video games as one of her favorite activities or a specific brand of cookware to foodies.
The Commercial Privacy Bill of Rights Act, however, could make life more difficult for ad networks acting as third-party advertisers that rely on receiving PII to help sweeten profits.