Update: The Do Not Track Me Online Act died and was never enacted.
House Resolution 654 — The Do Not Track Me Online Act — introduced by California congresswoman Jackie Speier on February 11, 2011, is the latest rallying cry in an ongoing struggle over Internet privacy that has been going on since the Internet went live.
What The Do Not Track Me Online Act Would Change?
The proposed legislation, nicknamed the Do Not Track Me Online Act, would make it mandatory for every company engaged in interstate commerce to disclose its data collection and data sharing procedures. (Government agencies would be exempt from this provision, as would any e-commerce site that stores information on fewer than 15,000 customers.) Additionally, the bill would give the Federal Trade Commission (FTC) 18 months to develop a mechanism that would allow Internet users to opt out of data collection.
Americans Are Concerned With Online Privacy
Americans are concerned about online privacy: A Gallup/USA Today poll taken just days before Speier introduced her bill found that 70% of Facebook’s users and over 50% of Google’s users have concerns about whether these two services provide adequate protections for their users’ privacy.
DNTM Opponents Fear Too Much Regulation
Still, the most efficient mechanism for consumers to opt out of behavioral data collection may be plug-ins, implemented at the browser level. Since this technology already exist, at least some of the provisions of Speier’s bill are redundant, constituting what many see as yet another unnecessary regulatory burden on e-commerce.
Provisions of Do Not Track Me Online Act
Section 1 establishes the FTC as the agency responsible for enforcement of the proposed legislation.
Section 2 of the proposed legislation defines the entities covered by the legislation, as well the exceptions. Additionally, Section 1 defines “sensitive information” and lists the types of data covered by the proposed legislation.
Entities covered by the proposed legislation include any person or company engaged in interstate commerce that stores or collects online data, except:
- Federal and state governments, and their agencies
- Entities that store information about fewer than 15,000 individuals
- Entities that collect information about fewer than 10,000 individuals in a 12 month period
- Entities that do not collect online information or do not use it for behavioral analysis.
Online information covered by the legislation includes:
- Personally identifiable information such as names, telephone numbers, email addresses and government-issued identifiers (e.g. drivers license numbers.)
- Unique Internet identifiers such as customer numbers and IP addresses.
- An individual’s online activity including websites and types of content accessed.
- Methods by which content is accessed including device, browser and application.
- Financially sensitive information such as credit card numbers, security codes and account numbers.
Information collected by an organization that pertains to an individual’s employment is exempt from these provisions.
Section 2 also gives the FTC the right to modify the definition of “sensitive information” at any time.
Section 3 mandates that companies covered by the legislation disclose both their data collection policies and any additional companies or other entities with which they share data. However, the FTC has the power to exempt companies from this provision as it sees fit.
Section 3 also requires the FTC to establish standards for a mechanism that will allow consumers to opt out of data collection.
Section 4 cements the FTC’s role as the federal watchdog in this capacity, making it responsible for formulating regulations that will carry out the proposed legislation’s provisions, monitoring risks to consumers as well as assessing their understanding of those risks, and performing random audits on the entities covered by the proposed legislation to ensure compliance.
Section 5 makes violation of the proposed law grounds into a private cause of action for the affected individual, and also allows state attorney generals, as well as the FTC, to enforce the law. Violations may result in a fine of up to $11,000 times the number of days a given entity is found to have been in violation of the proposed law, with a maximum penalty of five million dollars.
Criticisms of Do Not Track Me Online Act
Technological Solutions Already Allow Customers To Opt Out
A number of companies have already developed browser plug-ins that allow online users to block data tracking if they so choose – rendering the proposed legislation unnecessary.
At least one of the data collection points that Speier proposes to give consumers more control over is problematic: the tracking of IP addresses. If spammers and bittorrent users can opt out of having their ISP addresses collected, expect to see an increase in both these marginal activities.
Government agencies are exempt from the provisions of the Do Not Track Me Online Act, which raises the unsettling specter of Big Brother watching over our shoulders as we surf the Web.
The FTC Is Responsible For Both Enforcement and Exemption
H.R. 654 essentially gives the FTC carte blanche for interpreting the proposed law, in essence the ability to rewrite the law as it sees fit. This necessarily raises concerns over the proposed legislation’s constitutionality: Is Congress allowed to delegate authority to federal agencies in this manner?
The Future of Do Not Track Me Online Act
Despite these criticism, H.R. 654 is likely to pass. The bill has drawn key support from a number of different advocacy groups including the American Civil Liberties Union, US Public Interest Research Group, the Consumer Federation of America, World Privacy Forum and the Center for Digital Democracy.
H.R. 654’s catchphrase “Do Not Track” evokes the wildly popular Do Not Call registry for telemarketers – “the most popular federal government program since the Elvis stamp,” as FTC Commissioner Julie Brill put it recently.
In times like these when so many issues are polarizing legislators, the need for online privacy is one of those rare things that both Republicans and Democrats can agree upon. The legislation doesn’t come with a price tag – after all, the FTC’s infrastructure is already in place – and that makes it more likely to pass than many other bills at a time when proposing to add to the federal deficit is the political equivalent of committing suicide. Passing the Do Not Track Me Online Act is a no-risk way for Congress to tell voters who use the Internet, “We care.”