Senators John Kerry and John McCain introduced a tough new privacy bill on Tuesday that would require companies to notify consumers in clear language when their data is being collected and oblige them to keep that information safe from hackers.
There are increasing concerns about the amount of information companies collect about consumers and how they safeguard it. Millions of people face a heightened risk of email swindles after a massive security breach suffered by Epsilon, an online marketing firm with hundreds of firms among its clients.
The bill would apply to hundreds of companies from search engine giant Google Inc to telephone companies such as AT&T Inc to cable companies such as Verizon Communications Inc and Comcast Corp.
The bill, if it becomes law, would require companies to tell consumers why data was being collected, whom it would be shared with and how it would be safeguarded.
Companies collecting data must also allow consumers to opt out of some data collection and they must agree, or opt in, to the collection of sensitive data like medical conditions.
The bill would also press businesses to collect only the information needed for any particular transaction.
Kerry, a Democrat from Massachusetts, said the measure had support from some big technology companies.
These companies agree with us that it doesn't just make good business sense to protect their customer; they know it's the right thing to do, he told a news conference.
McCain, an Arizona Republican, noted many websites -- like most search engines -- are free precisely because they are supported by advertising.
Our bill seeks to respect the ability of businesses to advertise, while also protecting consumers' personal information, said McCain.
The administration said it liked aspects of the legislation and was carefully reviewing other elements.
Hewlett-Packard Co, Microsoft Corp, eBay Inc and Intel Corp all support the bill.
We have long advocated for comprehensive federal privacy legislation, they said in a joint statement. The complexity of existing privacy regulations makes it difficult for many businesses to comply with the law.
The bill seeks to protect data that is unique to a person, such as their name, physical address, email address, telephone number, Social Security number and credit card numbers.
Enforcing the bill would fall to the Federal Trade Commission and to state attorneys general, with the FTC taking the lead.
Attorneys general would be limited to seeking a $3 million penalty for violating security and transparency rules. The FTC might levy civil penalties of $16,000 per violation per day.
California lawmakers are considering a do not track bill, which the Kerry/McCain measure would preempt
This was not a concern, said a congressional staffer who argued it was impossible to have state-by-state regulation of data collection.
At the end of the day, this is interstate commerce, the staffer said.
The bill was a disappointment to the Direct Marketing Association, which argued it risked damaging the Internet at a time when it was a vibrant spot in the U.S. economy. In 2010, companies spent more than $25.4 billion on digital advertising, which generated $503.6 billion in sales, DMA said.
DMA is wary of any legislation that upsets the information economy without a showing of actual harm to consumers, said Linda Woolley, a DMA executive vice president.
It was also a disappointment to a coalition of consumer groups and privacy advocates, which welcomed the bill but called for it to be significantly strengthened.
I don't think this is going to affect online marketing at all, said Jeff Chester, director of the Center for Digital Democracy privacy group.
John Simpson, of Consumer Watchdog, agreed.
We cannot support it today, he said.
(Reporting by Diane Bartz; editing by Gerald E. McCormick, Matthew Lewis and Andre Grenon)