Two high-profile U.S. senators have introduced legislation designed to give consumers more control over what information about them is collected online, but privacy advocates said the bill will do little to curb wide-spread data-collection practices now in place.
Senators John Kerry, a Massachusetts Democrat, and John McCain, an Arizona Republican, introduced the Commercial Privacy Bill of Rights Act Tuesday. The bill would require Web-based businesses that collect consumer information to give clear notice about the data collection and allow consumers to opt out.
The bill would require Web-based businesses to collect only as much information as necessary to complete a transaction or deliver a service, and it would require collectors to take security measures to protect the data.
"John and I start with a bedrock belief that protecting Americans' personal, private information is vital to making the Information Age everything it should be," Kerry said in a statement. "Americans have a right to decide how their information is collected, used, and distributed and businesses deserve the certainty that comes with clear guidelines."
The bill will help assure Web users that their information is secure, while allowing the information economy to continue to "thrive," Kerry added. "This is a win for bipartisanship, a win for consumers, a win for the Internet and a win for businesses online and off," he said. "Most importantly, in a Washington where partisanship and division too often triumph, it's a victory for common sense."
The bill allows businesses to market and advertise to all consumers, while businesses that have no relationship with consumers are prohibited from collecting or sharing private their information, McCain added.
Collection and sharing by businesses with no relationship to the consumer is a practice that "American consumers reject as an unreasonable invasion of privacy," he said in a statement. "Consumers want to shop, browse and share information in an environment that is respectful of their personal information."
But members of privacy groups Consumer Watchdog, the Center for Digital Democracy (CDD) and Consumer Action said they couldn't support the bill. The legislation would take away some policy-making authority from the U.S. Federal Trade Commission and would take away the right of consumers to file lawsuits against companies for privacy violations, they said. The legislation also has no requirement for a national do-not-track mechanism that consumers can sign up for, and has an exemption for Facebook's data collection, critics said.
"The bill will not protect consumer privacy, who confront the ever-expanding consumer surveillance system," said Jeffrey Chester, CDD's executive director. "It is full of loopholes and definitional problems ... that basically sanction the existing data-collection marketplace."
The privacy advocates praised McCain and Kerry for raising the online privacy issue, but said the bill falls short of their expectations. The loopholes in the bill "could leave consumers feeling that they're far more protected than they are," said John Simpson, consumer advocate at Consumer Watchdog.
The bill may limit the FTC from charging online businesses with unfair or deceptive practices in privacy cases, Simpson added. If the bill was law, the FTC may not have been able to enter into a March settlement with Google over privacy complaints about its social-media Buzz product, he said.
Several tech trade groups and companies voiced support for the legislation, however.
The Information Technology and Innovation Foundation, a tech-focused think tank, praised the bill for balancing privacy rights with the "robust commercial Internet ecosystem."
Verizon Communications called the bill a "great start" toward privacy rules, and Hewlett-Packard praised the bill for "providing businesses with the opportunity to enter into a robust self-regulatory program."
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is email@example.com.