Privacy and Data Security 

Administration
Since the outset of the Obama Administration, senior FTC officials have made public statements, testified at legislative hearings and taken select enforcement actions to lay the groundwork for updating the Fair Information Practice Principles. Most notably, FTC Chairman Jon Leibowitz has indicated that FTC privacy enforcement efforts will focus on companies that do not adequately make consumers aware of their data collection practices, even in cases that do not involve personally identifiable information or pose a risk of individual economic harm.
According to U.S. Deputy Chief Technology Officer Daniel Weitzner, the White House will release a consumer bill of rights shortly, which Weitzner stated would be voluntary but enforceable.

Federal Trade Commission
At the close of 2010, the FTC issued a comprehensive draft report, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.  The FTC report set forth initial recommendations on how companies should protect consumers’ privacy and consists of three major elements: (1) privacy by design, (2) simplified consumer choice, and (3) greater transparency. The report is intended to guide businesses as they create privacy practices and to help Congress with privacy legislation.  The final report will most likely be released in December or early 2012.

Department of Commerce
The Department of Commerce’s final report on privacy is also expected to be released in late 2011 or early 2012. The draft report, Commercial Data Privacy and Innovation in the Internet Economy, was released in December 2010. The report detailed their initial policy recommendations aimed at promoting consumer privacy on the Internet. The Framework includes policy recommendations under four broad categories: (1) enhancing consumer trust online through recognition of revitalized fair information practice principles (FIPPs), (2) encouraging the development of voluntary, enforceable privacy codes of conduct in specific industries through collaborative efforts, (3) encouraging global interoperability, and (4) ensuring nationally consistent security breach notification rules. The DOC also recommended a new Privacy Policy Office to be established within the DOC.

PLC Comment Letters in Response to FTC and Commerce Draft Proposals
RILA submitted two separate comment letters to the FTC and Commerce Department outlining what we supported and opposed within the recommendations. Our letters had many recommendations, but key points included:

• Self-regulation continues to be the most appropriate and effective framework for protecting consumers’ privacy. 
• FTC, Commerce and Congress must be cautious and include flexibility in any new framework that might be adopted down the road. Then as technology advances, companies can more easily adapt as opposed to having to deal with rigid government standards that can’t be changed quickly to reflect consumers’ evolving wants and needs and improvements in technology. 
• Simplicity, reliability, and universality for all stakeholders

LEGISLATIVE UPDATE

We have seen a flurry of privacy, data security and breach notification bills introduced during the 112th Congress and hearings are still ongoing in both houses. However, there is still no consensus between both chambers of Congress and the administration on what should be done to address consumer privacy concerns, the so-called “cyberazzi,” and data security and breach notification issues. Although there are those on both sides of the aisle who want to legislate these issues, there are still many, including those serving on the committees of legislative jurisdiction, who feel that tough laws and government regulation would hurt innovation, commerce and economic growth. Those members would prefer that industry continue to adopt self-regulatory guidelines into their business models. These issues have taken a back seat to the debt problems and job creation issues for the time being and it is unlikely that a comprehensive privacy, data security, or breach notification bill will be completed this year. Sources on both sides of the aisle have said that any further action will likely be delayed until after next year’s election.
Another large breach like those at Sony PlayStation or Epsilon, however, could quickly move this issue back to the front burner. We believe the continued educational privacy hearings in the House, along with RILA-led member and staff briefings, will help committee members fully understand the implications that new privacy and data security regulations could have on retailers. If a new breach does occur, our goal is to have done our due diligence so Congress will have enough information to act responsibly and to prevent a knee-jerk reaction that could have dire consequences for retailers.

House
In the House, Commerce, Manufacturing and Trade Subcommittee Chairwoman Mary Bono Mack (R-CA) indicates that H.R. 2577, the Secure and Fortify Electronic (SAFE) Data Act, is a major priority for the subcommittee. H.R. 2577, which would require a national standard for data breach notification for companies when consumers’ personal information is compromised, passed her subcommittee in July. Full Committee Chair Fred Upton, although busy with the deficit reduction committee, held a members meeting in November to discuss H.R. 2577, in order to gauge Republican interest in the bill and address any outstanding issues.  The Chairman is assessing whether Republicans can get on the same page and move a bill out of the full committee.  On the Democratic side, there appear to be several unresolved issues with the bill.  Moving the bill without Democratic support could be tricky, as some Republican members do not want to chance acting on a bill considered by some to be lacking in consumer protections. 

Senate
The Senate Judiciary Committee passed three data security bills this fall: S. 1151 (Leahy, D-VT), S. 1408 (Feinstein, D-CA) and S. 1535 (Blumenthal, D-CT). At this time, no further action has been taken by the full Senate on any of the Judiciary bills. Despite the fact that the Senate Commerce Committee has historically enjoyed full jurisdiction over data security issues, the committee has not made substantial progress on its efforts to craft data security legislation. The committee had planned to mark up S. 1207, Senators Mark Pryor’s (D-AR) and Jay Rockefeller’s (D-WV) Data Security and Breach Notification Act, but pulled the bill from the agenda at the last minute.  According to committee staff, there were significant disagreements on the bill, especially regarding its scope and application.  The bill is currently being modified to address members’ concerns, and a spokeswoman for Senator Pryor said committee members hope to resolve these disagreements. It remains to be seen if Majority Leader Harry Reid (D-NV) will attempt an omnibus bill on privacy, data security, breach notification or cyber security, but this appears unlikely at this time. Should a bill manage to get through the Senate, action by the House also seems unlikely. RILA continues to hold member and staff educational briefings in order to ensure that legislation does not hamper the consumer experience or prevent the even flow of goods and services domestically or internationally without a corresponding benefit in consumer privacy or data security. 

Retailers should continue to engage the FTC, Commerce Department and Congress in the areas of consumer privacy, data security and breach notification to ensure that the unique needs of retailers who operate in both online and offline settings are understood. Opportunities to help shape legislation and provide comments on rule changes will continue to arise in the coming year.

The basic rules governing privacy of customer information have been relatively stable for a number of years. But this regulatory environment is in the midst of fundamental change as a result of slowly emerging shifts in the policy-making and enforcement functions of the Federal Trade Commission and the Department of Commerce, which could be codified by Congress into new privacy laws that would apply broadly to commercial industries.

There are four primary laws that businesses concern themselves with in the privacy arena. The first is the FTC Act which provides the Federal Trade Commission (FTC) with statutory prosecution authority to protect consumers against “unfair and deceptive acts.” Next are the Gramm-Leach-Bliley Act (GLBA) regulating personally identifiable information (PII)—typically in the area of financial transactions—and the Health Insurance Portability and Accountability Act (HIPAA) placing restrictions on the use of medical-related marketing. The final law is the Children’s Online Privacy Protection Act (COPPA) which applies special rules for advertising to children under the age of 13. Other less prominent laws surrounding telemarketing, email solicitation, and consumer credit reports are also on the books as are a myriad of state laws and regulations.

There is no one overarching federal privacy or data breach law to broadly regulate business use of data. To fill the void, the FTC has issued accepted reports to give a framework for industry self-regulation, embracing several general standards:

• Notice - Consumers are entitled to notice concerning how an organization uses data
• Choice - Consumers should have choices regarding data use beyond the transaction
• Transparency - Consumers should have access to PII about themselves
• Security - Consumers have a reasonable expectation that businesses will use technical and managerial efforts to protect their data

For more information, please contact Doug Thompson, vice president of government affairs, at doug.thompson@rila.org, Dave Garriepy, director of government affairs, at dave.garriepy@rila.org, or Carolyn Burnett, manager of government affairs, at carolyn.burnett@rila.org.