 | |
| |
TechnologyDaily Mobile
States Give Hollings Bill Mixed Review
by Liza Porteus
State lawmakers and law enforcers are giving mixed reviews to an Internet privacy bill recently introduced by Senate Commerce Committee Chairman Ernest (Fritz) Hollings, D-S.C.
S. 2201 mandates that Internet companies must obtain consumer consent before they can use any "sensitive" information collected from customers. This process is known as the "opt-in" approach. But the bill says that companies can collect and use consumers' "non-sensitive" information unless consumers notify the firms of their disapproval, or "opt out."
S. 2201 also preempts state laws relating to "the collection, use or disclosure of personally identifiable information obtained through the Internet." The measure allows a consumer to sue in federal court for violations of the sensitive information policies.
But exactly how Hollings' bill would affect such state laws remains murky. For example, it is unclear how the federal preemption would work with state financial privacy laws -- some of which are stronger than federal financial privacy laws.
What's In Store For California and Vermont?
"One of the obvious concerns for California would be avoiding preemption of state efforts to protect the privacy of Californians," said a spokeswoman for California Attorney General Bill Lockyer. "If states do aggressively protect the privacy of individuals, then you wouldn't want the federal law -- which would be weaker -- preempting it."
California lawmakers are grappling with financial privacy bills aimed at strengthening the federal 1999 Gramm-Leach-Bliley financial modernization law. Federal lawmakers have cited bills such as these as impetus for a federal preemption law.
These California bills pose "the very real possibility that online businesses will sooner rather than later face the prospect of trying to bring their online operation into compliance with inconsistent state law," Hollings said when introducing S. 2201.
State Assemblyman Joe Nation has introduced AB 1775, which calls for financial institutions to adopt an opt-in policy for sensitive information and enables individuals to sue if that policy is violated. The Assembly Banking and Finance Committee approved that measure April 16 and referred it to the Judiciary Committee April 23. State Sen. Jackie Speier, who last year offered a financial privacy bill, is working with Nation on some provisions.
"We're hopeful we can work something out," said a Speier staff member. "The bridge is not ungulfable ... but it's not going to be easy because you've got a whole lot of people that want a train wreck."
According to the National Conference of State Legislatures, at least half of the states have laws to address the right to financial privacy and a number of state constitutions provide privacy protections. Vermont is one of four states that have enacted opt-in financial privacy laws.
"I think, in general, [Vermont Attorney] General [William] Sorrell thinks that to enact more protective protections than the federal government and preemption from the federal government is not a good idea," said a source in Sorrell's office.
Is There A Disconnect?
Hollings' bill supposedly would preempt only the portions of state laws regarding the collection or use of information via the Internet. Hollings staff members said the offline portions of that law would hold up, but online transactions would have to abide by the Hollings' law. The end result could be a stronger offline, than online, privacy law.
"Clearly, the state law as it applies to Internet activities would be preempted," said attorney John Dugan, who represents the Financial Services Coordinating Council -- a group that opposes the Hollings bill. "The question is, because of that preemption, would the whole law fall down ... That's always a question for the court to decide."
The Center for Democracy and Technology and the Internet Alliance concurred that no one is quite sure how the Hollings bill preemption provisions will interact with Gramm-Leach-Bliley.
"Preempting the states is not a simple process," said Internet Alliance Executive Director Emily Hackett.
The Software and Information Industry Association (SIIA) on April 24 sent Hollings a letter voicing the group's concerns about the bill. SIIA said the fact that many state bills already enacted or under consideration -- such is the case in California -- do not distinguish between offline and online, and the Hollings bill does, may pose a problem.
"If, in fact, the preemption provisions of the bill are not effective, S. 2201 will create massive confusion and dramatically reduce confidence for consumers, enforcement agencies, self-regulatory bodies and companies implementing the rules," SIIA wrote.
To add even more confusion, Hollings' bill states that the measure will not supercede current federal laws. With more than two-dozen federal laws addressing privacy in operation, companies may have to contend with multiple laws guiding the collection and use of personally identifiable information in the marketplace.
"I think there's great room for doubt whether the preemption provisions of this bill would have the intended effect the sponsors of the bill would think it would have," said one industry source. "I think at this point, we have a lot of unanswered questions regarding what the goal of the bill is and what the actual language of the bill is."
Other States' Positions
The Hollings bill is not yet on the radar screen for many state lawmakers and attorneys general.
But New York Attorney General Eliot Spitzer approves.
"We think it's a good bill," including the private right-of-action language, said Spitzer spokesman Brad Maione. "The fact that it's federal legislation helps us out -- it sets a national standard in this regard ... as long as we do have a bit of enforcement behind it, that's appropriate with us."
Meanwhile, Assemblyman Joe Simitian, a Democrat who represents the Silicon Valley area, last Monday introduced a refined version of his Internet privacy bill. AB 2297 requires online companies and groups to post a privacy policy, makes it a violation of state law to abuse that policy and requires businesses to report and publicize security breaches.
Simitian told National Journal's Technology Daily that he understands the concern about patchwork state regulations, but said California has to be on the forefront of this issue, since privacy is considered a fundamental right in the California Constitution, whereas it is an inherent one in the U.S. Constitution.
"Privacy has a higher position in the California Constitution ... that means that we're going to have to deal with the issue somewhat different here," said Simitian, who chairs the Assembly Select Committee on Privacy.
Minnesota Sen. Steve Kelley also has introduced a privacy bill, with Tim Pawlenty sponsoring the House version. Those bills, S.F. 2908 and H.F. 3625, require Internet service providers to adopt opt-in policies for personal information, require certain consumer information to be disclosed pursuant to wiretapping laws and allow consumers to sue for violations. Both chambers have passed S.F. 2908 and this week it will head into conference committee. Pawlenty told National Journal's Technology Daily all groups are "very near" an agreement.
"A national standard would be welcome as long as it was rigorous and wasn't full of loopholes -- that would be the best approach," Pawlenty said.
Kelley noted several unclear sections of the Hollings bill, including whether hardware data would be protected and the fact that Hollings' bill says actual personal information collected online is protected but information that is "derived or inferred" from the collected data is not protected.
"I don't understand the logic," Kelley said.
NEW FEATURE
-Advertisement-
-Advertisement-
-Advertisement-
