Last month, California Representative Jackie Speier introduced H.R. 654, the so-called Do Not Track Me Online bill, to Congress. The bill is the first response to the Federal Trade Commission’s December 2010 request for the establishment of a Do Not Track registry for online users that would be similar to the Do Not Call registry for telemarketing calls established in 2003. The Do Not Track Me Online bill calls for the FTC to establish regulations requiring covered entities (defined as companies engaging in interstate commerce that collect or store online data), to allow customers to opt out of online tracking. The bill provides for monetary penalties for violations of the bill, not to exceed $5 million for a related series of events.
The Do Not Track Me Online bill would require covered entities to comply with the requests of consumers not to track their online movements via tracking cookies and other technologies, and also to provide reports to the agency regarding data-collection methodology and data-sharing activities. The bill also leaves open options for the FTC to modify its rules to include other requirements, specifically including a provision to force covered entities to provide consumers with means to access the consumers online activity data stored by the covered entity.
These regulatory requirements would not apply to companies that: 1) store online activity information on less than 15,000 people; 2) collect online activity information from less than 10,000 consumers in a year; 3) do not collect sensitive information from consumers; and 4) do not use online activity information to analyze online behavior as the company’s primary business. Although this is the preliminary draft and likely will undergo significant changes before it gets to the floor for a vote, the power and reach of the bill lies in the “sensitive information” element to the exclusion above. The bill defines sensitive information as information related to the health, race, religious, sexual orientation, financial accounts, geolocation, or personal identifiers of the consumer, though it allows the FTC room to modify this definition. The FTC could broaden the scope of covered entities to include those that collect other personally identifying information—a move that would increase the rule’s scope to require any company that collects sensitive information, regardless of its size, to be forced to comply with these regulations.
About the author
Andrew Martin:
As an associate attorney with extensive prior experience advising information technology start-ups, Andrew’s practice focuses on finding solutions for his clients’ intellectual property issues. Due to his extensive experience in the software and technology industries, Andrew understands both the practical and legal issues involved in IP licensing agreements and disputes. In addition to licensing, Andrew helps his clients find new ways to use existing technologies to assist his clients in areas such as data privacy compliance. Andrew uses his diverse background which includes founding a record label and working for a world-wide concert promoter when counseling the firm’s entertainment clients.
Get in touch: amartin@scottandscottllp.com | 800.596.6176