Well-Meaning “Privacy Bill of Rights” Wouldn’t Stop Online Tracking
Legislative Analysis by Rainey Reitman, EFF.org
On Tuesday, Senators John McCain and John Kerry introduced the long-awaited Commercial Privacy Bill of Rights, a sweeping bill that covers online and offline data collection, retention, use, and dissemination practices. Unfortunately, the bill may fall short of what’s needed to protect our privacy.
This bill fails to address many of the issues surrounding pervasive online tracking that have been raised by privacy advocates, explored in the Wall Street Journal’s What They Know series, and highlighted by the FTC’s recent Privacy Report. The bill’s most glaring defect is its emphasis on regulation of information use and sharing, rather than on the collection of data in the first place. For example, the bill would allow a user to opt out of third-party ad targeting based on tracking – but not third-party tracking. The consumer choice provisions in Section 202 apply only to data use—not collection—unless that data is both “sensitive” and “personally identifiable.” Moreover, Part III of the bill, which imposes lax limits on collection, cannot be enforced by state Attorneys General. This is backwards: the privacy risk is not in consumers seeing targeted advertisements, but in the unchecked accumulation and storage of data about consumers’ online activities. Collecting and retaining data on consumers can create a rich repository of information – which leaves consumer data vulnerable to a data breach as well as creating an unnecessary enticement for government investigators, civil litigants and even malicious hackers.
The bill also fails to provide meaningful regulation of the more spurious current industry practices because its third-party opt-out wouldn’t cover any site a user has an account with. This “Facebook loophole” seems deliberately designed to preserve existing (and concerning) practices such as the Facebook “like” button, which can track an individual as she moves around the web by placing cookies on her computer even if she isn’t logged into Facebook and doesn’t click the “like” button. The proposed bill won’t help a user concerned about this practice. A user would surrender any right to opt out of being tracked by Facebook or Google simply by having an account with them.
Consumers also won’t have a private right of action in the new Commercial Privacy Bill of Rights. That means consumers won’t be granted the right to sue companies for damages if the provisions of the Commercial Privacy Bill of Rights are violated. A private right of action is a powerful tool that consumers can use to compel compliance from companies that might otherwise choose not to respect users’ privacy wishes.
Finally, the bill would preempt many state online privacy laws. This means that even if a state enacts legislation that provides consumers with stronger protections for their data, those additional rights would be trumped by federal law. This is especially troublesome because California, long considered a bellwether state for privacy legislation, is currently considering legislation around Do Not Track.
While EFF applauds efforts to update privacy laws to address the needs and expectations of today’s digital consumers, we can’t help but wish this well-meaning bill provided more comprehensive rights to users. There is a growing public demand for meaningful privacy controls when using the Internet.
As Senator Kerry stated in the press conference after introducing the bill:
Companies can harvest our personal information online and keep it for as long as they like. They can sell it without asking permission or even letting you know that they’re selling your own information. You shouldn’t have to be a computer genius in order to be able to opt-out of information sharing.
EFF agrees. But a user also shouldn’t have to be a computer genius to opt out of unanticipated or unwanted data collection — which is exactly why we hope Kerry and McCain will amend their bill to provide meaningful control to online users.