CIOs will have more to worry about if a controversial bill that lets consumers sue companies that misuse their information continues to move through Congress.
In late May, the Senate Committee on Commerce, Science and Transportation approved the Online Personal Privacy Act, S. 2201, introduced by Sen. Ernest Hollings (D-S.C.), in a 15-8 vote. Under the bill, companies would have to offer opt-in consent for sensitive information posted online that will be shared with third parties. Companies would also be required to let users opt out of having their nonsensitive data, such as telephone numbers and addresses, given away. That means consumers would need to explicitly agree to having such sensitive details as their income, bank account number or sexual orientation passed on to a third party or collected for marketing purposes.
If a company confuses how it filters the data and reveals a customer’s sensitive information, that person could bring the company to court and collect up to $500. The thought of being tied up in court cases has some companies, and high-tech and business groups, including the U.S. Chamber of Commerce and the Software and Information Industry Association (SIIA), feeling queasy.
“We are concerned that a private right of action will create less certainty and clarity in the marketplace, as each court will supply its own definition as to what constitutes ’actual harm’ or ’reasonable access’ or ’reasonable security,’” said Barbara Lawler, chief privacy officer of Hewlett-Packard, at the bill’s introduction hearing.
The committee made a few changes to the bill?the original amount users could sue for was as high as $5,000, and the revised bill exempts small businesses that have fewer than 25 employees and 1,000 customers who provide sensitive data online?but most of the language is intact. Along with citing their opposition to the bill’s lawsuit provision, opponents told the committee that they are concerned that the bill doesn’t adequately address how it will preempt state laws, and it addresses only online business while avoiding offline transactions. “[It] will create massive confusion and dramatically reduce confidence for consumers, enforcement agencies, self-regulatory bodies and companies implementing the rules,” said SIIA President Ken Wasch in a statement.
Hollings limited the scope of the bill to information collected online because of consumers’ immediate need to protect their privacy when dealing with the Internet, where identity fraud is becoming more commonplace and customer profiles are being sold to marketers, says Andy Davis, Hollings’s spokesman.
On the House side, Rep. Cliff Stearns (R-Fla.) introduced a privacy protection act in early May that does not allow consumer lawsuits. In committee at press time, that bill addresses data collection for online and offline business.