Boucher Privacy Bill -- Quick Review

I'm a little late to the game with this piece of legislation but here's a quick review and round-up of other reviews.

The release of Boucher's privacy bill generated exactly what was intended -- a lot of discussion.  The "for discussion draft" version Congressman Rick Boucher (D-VA) and Congressman Cliff Stearns (R-FL) released on Tuesday, May 4th, 2010 can be found here long with a press release and executive summary.

The bill represents a world of change that has rubbed a lot of industry and lobby groups the wrong way.  The bill targets both the online and offline worlds mandating clearer privacy notices when collecting personal information.  The bill establishes new definitions of personal and sensitive information, some of which seem to be borrowed from HIPAA including:

  • Covered Entity -- a person engaged in interstate commerce that collects data containing covered information.
  • Covered Information -- Information including name, telephone, address, email, biometrics, SSN or other government-issued ID number, financial account information, any unique persistent identifiers such as a customer number, unique pseudonym/alias or IP address.
  • Sensitive Information -- Information associated with Covered Information relating to medical records, race/ethnicity, religious beliefs, sexual orientation, financial records, precise geographic location information.

Continue reading for more in-depth analysis...

Surprisingly, IP addresses, a historically misunderstood technical concept by legislators and judiciary alike, have been added to this list.  I believe in the context of this bill that Boucher, while having good intentions, does not understand the far reaching implications of adding IP addresses to a protected information category. 

The bill keeps with U.S. tradition of being an opt-out country.  On Page 12, lines 15-19 this opt-out nature is defined as "(ii) the individual either affirmatively grants consent for such collection and use or does not decline consent at the time such [privacy] statement is presented to the individual." 

Section 6 (page 21) discusses use of location-based information in a slightly confusing manner.  It moves to a specific opt-in consent model and defines explicit opt-in as, "...except as provided in Section 222(d) of the Communications Act of 1934...any provider of a product or service that uses location-based information shall not disclose such location-based information concerning the user of such product or service without that user's express opt-in consent.  A user's express opt-in consent to an application provider that relies on a platform offered by a commercial mobile service provider shall satisfy the requirements of this subsection." 

To note: application provider is not previously defined in the bill and the way the bill is written, really, does not change anything.  It does not further protect location-based information it says, simply, if you use the product you agree to have your information shared (with exceptions already mandated by the Comm Act of 1934).  Anyone else have a different read of this? 

Lastly the enforcement section.  Enforcement is given to the Federal Trade Commission under unfair and deceptive acts or practices.  The bill allows State AGs to enforce the FTC rules by bring suits against violators; however, the bill does not allow a private right of action.

Quick thoughts:

  1. The bill keeps with the notice and consent model, which really does not work.  People don't read privacy policies because they are largely unreadable, riddled with legal jargon, and dubious at best (status-quo). 
  2. The opt-out model definition pretty much says that if you're too lazy to read the privacy policy handed to you and you continue forward with the transaction, you've agreed to have your information collected/shared/sold (status-quo).
  3. The inclusion of IP addresses as protect information could prove very problematic.
  4. The location-based information section does nothing.
  5. "The FTC's authority could prevent States from imposing stronger laws and private citizens from bringing cases against companies." ~Emily Steel, WSJ
  6. Strict and prescriptive lists of "covered information" and "sensitive information" make the bill too ridged and do not take into account future growth of information holdings and collection points.

It's surprising to see a bill so uniformly criticized, especially by groups that are generally at odds with each other. 

"That raises a lot of concerns for us," says Ari Schwartz, vice president at the privacy group Center for Democracy & Technology. Source: Emily Steel, WSJ

"The industry has really dodged the privacy bullet here," says Jeffrey Chester, executive director of Center for Digital Democracy, a consumer privacy group in Washington. "This is very flawed legislation." Source: Emily Steel, WSJ

"We're pretty disappointed with the bill," says Linda Woolley, executive vice president of government affairs for the Direct Marketing Association. "There are some pretty significant changes to online and offline marketing practices that have gone on for many, many years." Source: Emily Steel, WSJ

"This bill is not the answer," said Michelle De Mooy, a senior associate at the pro-regulation group Consumer Action. "We don't think it effectively protects consumer information online." Source: Declan McCullagh, CNET

Adam Thierer, president of the free-market Progress and Freedom Foundation, was equally skeptical--albeit for an entirely different reason. "By mandating a hodge-podge of restrictive regulatory defaults, policymakers could unintentionally devastate the 'free' Internet as we know it," he said.  Source: Declan McCullagh, CNET

"Consumers still have to rely on digital fine print to find out how to protect their privacy," Jeff Chester, director for the Center for Digital Democracy, said in a telephone conference. Pam Dixon, a World Privacy Forum attorney, added that there are "no requirements" on what that fine print should look like. Source: David Kravets,'s ThreatLevel