News & Press: Legal Updates

CASRO General Counsel Reports on Recently Introduced Federal Privacy Bill

Friday, August 10, 2012  
Share |

CASRO General Counsel Reports on Recently Introduced Federal Privacy Bill

While Passage of Rush Bill Unlikely in 2010, Feds Appear Intent on Pushing for Integrated Privacy Legislation

The Rush bill would require companies to:
  • offer consumers meaningful choice about the collection, use and disclosure of their personal information
  • disclose in a detailed privacy policy their practices with respect to the collection, use, disclosure, merging and retention of personal information and explain consumers' options regarding those practices
  • obtain "opt-in" consent to disclose information to a third party
  • have reasonable procedures to assure the accuracy of the personal information they collect and permit access to consumers to correct or amend certain information; and
  • implement reasonable procedures to secure information and to retain personal information only as long as necessary to fulfill a legitimate business need.

The Rush bill also expands the concept of what is considered personal information. The definition of "covered information" in the Rush bill covers not only traditionally-protected personal information, such as a person's contact information, financial account numbers and important government-issued identifying numbers (like Social Security numbers), but also includes all unique persistent identifiers, such as customer numbers, user aliases, IP addresses and other unique identifiers used to identify an individual. This means that the collection, use and disclosure of IP addresses and unique identifiers given to panelists (for example, those associated with digital fingerprinting efforts) will be subject to the Rush bill's protections described above.

Interestingly, the Rush bill creates a "safe harbor" that would exempt companies from the "opt-in" requirement if they participate in one or more universal opt-out programs operated by industry groups and monitored/approved by the Federal Trade Commission. The Rush bill also broadly exempts aggregated and de-identified information, provided that certain safeguards are taken to ensure that such information cannot be reconnected to the individual about whom the information relates. The FTC will have primary responsibility for the enforcement of the Rush bill, but the bill also gives state attorneys' general and private individuals the ability to take civil action against companies in violation of the requirements. The Rush bill will preempt similar state data protection and privacy laws, but existing federal laws that touch on privacy, such as HIPAA, COPPA and Gramm Leach Bliley, will remain in full effect.

If the Rush bill ultimately earns passage, it seems likely that the United States' privacy laws will for the first time be deemed "adequate" by the European Union. If the EU does make such a determination, it will mean that the EU Safe Harbor program offered by the U.S. Department of Commerce will become moot, and personal data may be more readily shared between companies in the US and EU.
We will continue to monitor the progress of the Rush bill, Rep. Boucher's bill and any other efforts by Congress to pass a comprehensive privacy statute.

Community Search
Member Log In

Forgot your password?

Not A CASRO Member?

Latest News
Website Underwriters