Peter A Clarke

Members of the House of Representatives, Rick Boucher and Cliff Stearns, members of  the House’s Subcommittee on Communications, Technology and the Internet have introduced a bill that mandates information to be given to website visitors to improve privacy protections in the US. It also lists types of data that can be used until people opt out, and others that can be used only with their consent. Relevant features are:

1. “Covered information” is defined to include, among other things, names, postal and email addresses, fingerprints and retina scans, Social Security and credit card numbers and Internet Protocol (IP) addresses.
2. an organisation “shall not collect, use or disclose covered information from or about an individual for any purpose” unless it makes available a privacy notice and obtains the user’s consent, though that consent can be implied.
3. a privacy notice must be “posted clearly and conspicuously on the website” and it must be accessible from a link on the site’s homepage. The organisation has to include, among other things, details of the purposes for which the data are collected and used; how it stores the information; how it may merge or link the information collected about the individual with other information about the individual that it may acquire from unaffiliated parties; how it may share the information; long it will retain the information “in identifiable form” and how it will dispose of it.
4. an organisation shall be considered to have the individual’s consent to the collection and use of covered information if it provides the privacy policy or statement and if the individual “either affirmatively grants consent for such collection and use or does not decline consent at the time such statement is presented to the individual.”
5. the right of the organisation to share that data with third parties is limited “without first obtaining express affirmative consent” from the subject. The individual’s “express affirmative consent” will also be required to make material changes to a privacy policy.
6. “Sensitive information” is defined as including medical records, race or ethnicity, religious beliefs, sexual orientation, financial records and precise geolocation information. An organisation must not collect or disclose sensitive information from or about an individual unless it makes available its privacy notice before collecting such data and obtains the individual’s express affirmative consent.
7. it does not apply to government agencies; and it will not apply to organisations that collect covered information from fewer than 5,000 people in any 12-month period and that do not collect sensitive information.
8. it  bars some sharing of information with other companies, but it makes an exception for advertising networks, which can have access to the information.\