• Draft Privacy Bill Makes Your Location, Sexual Orientation 'Sensitive Information'
  • May 11, 2010
  • Law Firm: Gesmer Updegrove LLP - Boston Office
  • On Tuesday, May 4, 2010, Representatives Rick Boucher, Democrat of Virginia, and Cliff Stearns, Republican of Florida released a draft of a Congressional bill would extend privacy protections both on the web and off line. Mr. Boucher is the chairman of the House subcommittee on communications, technology and the Internet, and Mr. Stearns is the panel’s ranking minority member. After collecting comments on the draft, they lawmakers hope to have have formal legislation introduced within a month or so, Mr. Boucher reported in an interview.

    There is currently no national legislation governing how companies tell consumers that they are collecting data, but companies do post privacy notices because certain state laws require it. This bill would be the first law to apply to businesses requiring privacy notices.

    The bill provides a privacy baseline, providing limited protection for “covered information” and much tougher protection for “sensitive information.” The bill makes a key distinction between the two kinds of data: covered information collection is “opt-out,” while sensitive information collection would become “opt-in” only.

    According to the bill, covered information includes:

    • The first name or initial and last name
    • A postal address
    • A telephone or fax number
    • An e-mail address
    • Unique biometric data, including a fingerprint or retina scan
    • A Social Security number, tax identification number, passport number, driver’s license number, or any other government-issued identification number
    • A financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account
    • Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used to collect, store, or identify information about a specific individual or a computer

    Companies and websites that disclose their data collection practices can harvest this data on the assumption that, by using the site, one has agreed to such collection. But they are required to provide an opt-out option that would stop all such data collection and prevent the company from using even previously acquired data.

    Sensitive information can’t be collected and stored without an explicit opt-in assent by the consumer. The bill defines sensitive information as:

    • Medical records, including medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
    • Race or ethnicity
    • Religious beliefs
    • Sexual orientation
    • Financial records and other financial information associated with a financial account, including balances and other financial information
    • Precise geolocation information

    The proposed bill would expand what information should be considered confidential. It would also require companies to post clear and understandable privacy notices when they collected information. Such information could range from health or financial data to any unique identifier, including a customer identification number, a user’s race or sexual orientation, the user’s precise location or any preference profile the user has filled out. It could also include an Internet Protocol address, the numerical address assigned to each computer connecting to the Internet that many companies use now to aim particular messages at users, which the companies argue is not personally identifiable.

    The proposed bill is already seems to be making everyone unhappy. The New York Times reports that privacy advocates have said that the bill did not go far enough in protecting consumers. While other groups such as the Progress & Freedom Foundation believe the bill “could unintentionally devastate the ‘free’ Internet as we know it” given the use of data collection for online advertising resulting in “diminished consumer choice in ad-supported content and services, raise prices, quash digital innovation, and hurt online speech platforms enjoyed by Internet users worldwide.”