Federal Trade Commission chairman Jon Liebowitz told cable operators in L.A. last week that the commission is not interested in regulating behavioral advertising so long as the industry is making “progress” toward self-regulation. The Chairman then informed the industry what the self-regulatory principles were to be: 1) consumers are informed, in plain English and large type, what information is being collected; 2) Consumers must be given a choice whether they want that data collected – affirmative opt-in; 3) data must be stored securely; 4) privacy policy changes must be clear and may not be applied retroactively; and 5) sensitive data collection must be collected through an opt-in system.
What he did not discuss was the Financial Regulatory Reform Bill currently slated to be voted on by the Senate shortly which grants the FTC the authority and power to impose those regulations on the entire industry. What was also not discussed is the current draft of a new privacy bill which is intended to regulate data collection both online and offline conduct.
What is important about the privacy bill is that it sets out new, very detailed, notice and consent requirements for online and offline data collection. The bill regulates “covered entities” which are those entities that collect “covered information.” “Covered information” includes First name or initial and last name; Postal address; Telephone or fax number; Email address; Unique biometric data; SSN Tax ID, or any other government-issued identification number; Financial account numbers; Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used to collect, store, or identify information about a specific individual or a computer, device, or software application owned or used by a particular user or that is otherwise associated with a particular user which is data such as customer identifications, IP addresses, anonymous profiles, and cookie IDs.
The required notice must contain fifteen distinct provisions, several of which are not common in current privacy policies, including: 1) how information is stored; 2) the length of time the information is retained; 3) how the information is disposed of after the retention period; 4) provides a choice and means for individuals to limit or prohibit the collection and disclosure of covered information; 5) the manner and means in which an individual may access the information that has been collected; and 6) a hyperlink to or a listing of the FTC’s online consumer complaint form or the toll-free telephone number for the FTC’s Commission’s Consumer Response Center.
Furthermore, opt-in consent would be required for the following: 1) Material changes to the privacy policy applied retroactively; 2) Disclosures of “covered information” to unaffiliated third parties such as list managers; 3) Disclosure of location-based information; and 4) Opt-in would be required for collection or disclosure of covered information about all or substantially all of an individual’s online activity [behavior marketing].
This bill dramatically changes both data collection procedures as well as your website polices – keep a close eye on its progress.