One day after Senators Kerry and McCain introduced their Commercial Privacy Bill of Rights Act of 2011, Representatives Cliff Sterns and Jim Matheson introduced a new bill, the Consumer Privacy Protection Act of 2011 that, unlike Kerry-McCain (or California’s proposed Do Not Track Me Online Act), focuses on personally identifiable information (PII), without addressing behaviorally targeted advertising. Nonetheless, it does propose new legal obligations for commercial and non-profit entities that collect, sell, use, or disclose PII of more than 5,000 consumers during any consecutive twelve-month period.
Some of the bill’s requirements, for many covered entities, may sound like old hat. For example, they would have to establish clear and readily available privacy policies governing their collection, sale, and disclosure of PII, and follow other requirements that have become conventional in bills oriented towards the Federal Trade Commission's Fair Information Practice Principles (FIPP) (for more on the principles, see the FTC principles, here. But the bill's requirements do invite participation in self-regulatory safe harbor programs. Covered entities create a presumption of compliance if they create and maintain a self-regulatory program that is approved by the FTC. Once approved, programs would have five-year terms. The regulatory program would have to contain a process for resolving disputes with consumers. The bill does not propose to supersede the many sector-specific laws, such as those providing privacy rights in the communications, health, and financial industries. The bill would be enforced by the FTC, and provides for no private right of action.