States Support Additional Federal Consumer Information Privacy Protections
By Bruce Nielson and Samuel Castic
Fifteen state attorneys general recently sent a letter to the FTC supporting its recent proposal for a federal regulatory framework to protect the privacy and security of consumer information. The letter also recommends additional consumer information privacy and security protections that go beyond the FTC’s proposal. The FTC’s proposal, in the form of a preliminary FTC Staff Report entitled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers” (the “Report”) was released on December 1, 2010 and is described in more detail in a prior blog entry.
The 15 state attorneys general – from Arizona, Illinois, Indiana, Iowa, Massachusetts, Montana, Nevada, New Mexico, New York, North Dakota, Rhode Island, Tennessee, Vermont, Virginia and Washington (the “States”) – make the following points in their February 18, 2011 letter to the FTC:
First, the States believe the four substantive protections described in Section V(B)(1) of the Report “should be incorporated into companies’ business practices in order to establish standard, comprehensive privacy protections for consumers.” (The four substantive provisions have to do with protecting, collecting, retaining and ensuring the accuracy of consumer information.) The States cite relatively new Massachusetts data security regulations and certain California statutes as examples of how consumer information privacy and security protections have been implemented in those states. The States recommend that, to the extent the FTC were to contemplate exempting any businesses from the reach of consumer information privacy requirements, the FTC “should err on the side of caution.” The States also indicate that they “generally support an approach to information security that assesses” the size, scope and resources of a business and the need for security of the personal information the business possesses.
Second, the States encourage the FTC to include consumers’ medical information and health insurance information as “sensitive information warranting privacy protection,” in addition to a consumer’s name in combination with a Social Security number or driver’s license or other state ID number, or with a financial account number, including credit and debit card numbers. The States also encourage the FTC “to explore further whether location-based data, which is capable of tracking a person’s movements, should be considered sensitive information.” The States recommend “strong mechanisms requiring consumer consent before companies may share location-based data with third-parties, and a concerted effort, on both the state and federal level, to educate consumers about the risks and benefits of location-based services.”
Third, the States echo the FTC’s concern about young users of social networking sites, and the States support “the implementation of additional online safety tools that: (1) protect minors from inappropriate contact on social networking sites; (2) protect minors from inappropriate content on social networking sites; and (3) provide safety tools for all social networking site users.” The States cite joint agreements between 49 State Attorneys General and MySpace and, separately, Facebook as examples of state efforts “to protect the privacy of minors on social networking sites.” The States also recommend that “all users of social media sites should have extensive privacy controls to enable them to choose who can see their profile.”
Finally, the States urge the FTC not to preempt state laws with a federal consumer information privacy framework, but rather to follow a “dual sovereignty model” in which “both state and federal authorities would have the right to bring an action under federal law, and where state enforcement authority is explicitly granted under federal law.”
The FTC received 439 comments on the Report during the comment period that recently closed. We will update this blog with more information regarding the consumer information privacy framework proposals when the FTC takes further action on the proposals.