Do Not Track Me Online Act of 2011: Jackie Speier

By February 11, 2011Internet Lawyer

Do Not Track Me Online Act of 2011Firing another shot in the do-not-track Internet privacy battle, Congresswoman Jackie Speier (D-CA) introduced the Do Not Track Me Online Act of 2011. The decision by Microsoft, Mozilla, and Google to add do-not-track options to their respective Explorer, Firefox, and Chrome web browsers was never going to be enough for Congress.
I’ve included the text of the “Do Not Track Me Online Act of 2011” below with my comments bracketed in bold. There’s bipartisan support for do-not-track legislation although the effectiveness of any final version that becomes law is debatable. The new do-not-track browser option makes such a law redundant for most purposes. However, there will always be online methods to circumvent the law (packet sniffing?) and new technologies will probably render the law obsolete when passed if not before.

But because this is yet another regulatory burden to be imposed on ecommerce, here’s a look at the bill…the good, the bad, and the ugly…

112TH CONGRESS 1ST SESSION H.R. 654
To direct the Federal Trade Commission to prescribe regulations regarding the collection and use of information obtained by tracking the Internet activity of an individual, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES
Ms. SPEIER introduced the following bill; which was referred to the Committee on A BILL
To direct the Federal Trade Commission to prescribe regula- tions regarding the collection and use of information obtained by tracking the Internet activity of an individual, and for other purposes.  Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.  This Act may be cited as the ‘‘Do Not Track Me Online Act’’.  SEC. 2. DEFINITIONS.  In this Act:
(1) COMMISSION.—The term ‘‘Commission’’  means the Federal Trade Commission.
(2) COVERED ENTITY.—The term ‘‘covered entity’’ means a person engaged in interstate commerce that collects or stores online data containing  covered information. Such term does not include—
(A) the Federal Government or any instrumentality of the Federal Government, nor the  government of any State or political subdivision of a State; or (B) any person that can demonstrate that such person— (i) stores covered information from or about fewer than 15,000 individuals; (ii) collects covered information from or about fewer than 10,000 individuals during any 12-month period; (iii) does not collect or store sensitive information; and (iv) does not use covered information to study, monitor, or analyze the behavior of individuals as the person’s primary busi- ness.

[Mike: In other words, the government would be exempt from the law. Hello Big Brother. Also exempt are websites that don’t get traffic. Sigh.]

(3) COVERED INFORMATION.—
(A) IN GENERAL.—The term ‘‘covered information’’ means, with respect to an individual, any of the following that is transmitted  online:
(i) The online activity of the individual, including—
(I) the web sites and content  from such web sites accessed;
(II) the date and hour of online access;

(III) the computer and geolocation from which online infor- mation was accessed; and

(IV) the means by which online information was accessed, such as a device, browser, or application. (ii) Any unique or substantially unique identifier, such as a client num- ber or Internet protocol address. (iii) Personal information such as— (I) the name; (II) a postal address or other lo- cation; (III) an email address or other user name;
(IV) a telephone or fax number;
(V) a government-issued identification number, such as a tax identification number, a passport number,  or a driver’s license number; or
(VI) a financial account number,  or credit card or debit card number,  or any required security code, access  code, or password that is necessary to  permit access to an individual’s financial account.

[Mike: This is overkill, particularly the parts about tracking IP addresses and times. If anything, curtailing IP tracking will encourage fraud, spamming, etc.]
(B) EXCLUSION .—Such term shall not include—
(i) the title, business address, business  email address, business telephone number,  or business fax number associated with an  individual’s status as an employee of an organization, or an individual’s name when  collected, stored, used, or disclosed in connection with such employment status; or
(ii) any information collected from or  about an employee by an employer, prospective employer, or former employer that  directly relates to the employee-employer  relationship.
(4) SENSITIVE INFORMATION.—
(A) DEFINITION.—The term ‘‘sensitive information’’ means—
(i) any information that is associated  with covered information of an individual  and relates directly to that individual’s—
(I) medical history, physical or  mental health, or the provision of  health care to the individual;
(II) race or ethnicity;
(III) religious beliefs and affiliation;
(IV) sexual orientation or sexual  behavior;
(V) income, assets, liabilities, or  financial records, and other financial  information associated with a financial account, including balances and  other financial information, except  when financial account information is  provided by the individual and is used  only to process an authorized credit or  debit to the account; or
(VI) precise geolocation information and any information about the   individual’s activities and relationships  associated with such geolocation; or
(ii) an individual’s—
(I) unique biometric data, including a fingerprint or retina scan; or
(II) Social Security number.

[Mike: So if you set up a website targeting Personal Finance For Hispanic Lesbian Methodists, does that mean you’re automatically violating the law with any information you collect from visitors to the site?]
(B) MODIFIED DEFINITION BY RULEMAKING.—The Commission may, by regulations  promulgated under section 553 of title 5, United States Code, modify the scope or appli- cation of the definition of ‘‘sensitive informa- tion’’ for purposes of this Act. In promulgating such regulations, the Commission shall con- sider— (i) the purposes of the collection of the information and the context of the use of the information; (ii) how easily the information can be used to identify a specific individual; (iii) the nature and extent of author- ized access to the information; (iv) an individual’s reasonable expec- tations under the circumstances; and
(v) adverse effects that may be experienced by an individual if the information is  disclosed to an unauthorized person.

[Mike: This is known as giving a blank check to the Federal Trade Commission to interpret the law and create regulations based upon that interpretation. The ongoing saga of unconstitutional delegation of power by Congress to agencies to re-write laws by regulation.]

SEC. 3. REGULATIONS REQUIRING ‘‘DO-NOT-TRACK’’ MECHANISM.
(a) FTC RULEMAKING.—Not later than 18 months  after the date of enactment of this Act, the Commission  shall promulgate regulations under section 553 of title 5,  United States Code, that establish standards for the re- quired use of an online opt-out mechanism to allow a con- sumer to effectively and easily prohibit the collection or use of any covered information and to require a covered entity to respect the choice of such consumer to opt-out of such collection or use. Regulations prescribed pursuant to this subsection shall be treated as regulations defining unfair and deceptive acts or practices affecting commerce prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)). (b) REQUIREMENTS TO BE INCLUDED IN REGULA- TIONS.—The regulations prescribed under subsection (a)— (1) shall include a requirement for a covered entity to disclose, in a manner that is easily acces- sible to a consumer, information on the collection of information practices of such entity, how such entity  uses or discloses such information, and the names of  the persons to whom such entity would disclose such  information; and
(2) shall prohibit the collection or use of covered information by a covered entity for which a  consumer has opted-out of such collection or use,  unless the consumer changes their opt-out preference to allow the collection or use of such information.
(c) ADDITIONAL REGULATORY AUTHORITY.—The  regulations prescribed under subsection (a)—
(1) may include a requirement that a covered  entity provide a consumer with a means to access  the covered information of such consumer and the  data retention and security policies of the covered  entity in a format that is clear and easy to understand; and
(2) may include a requirement that some or all  of the regulations apply with regard to the collection  and use of covered information, regardless of the  source.
(d) EXEMPTIVE AUTHORITY.—The Commission may  exempt from some or all of the regulations required by  this section certain commonly accepted commercial practices, including the following:
(1) Providing, operating, or improving a product or service used, requested, or authorized by an  individual, including the ongoing provision of client service and support.
(2) Analyzing data related to use of the product  or service for purposes of improving the products,  services, or operations.
(3) Basic business functions such as accounting, inventory and supply chain management, quality  assurance, and internal auditing.
(4) Protecting or defending rights or property,  including intellectual property, against actual or potential security threats, fraud, theft, unauthorized  transactions, or other illegal activities.
(5) Preventing imminent danger to the personal  safety of an individual or group of individuals.
(6) Complying with a Federal, State, or local  law, rule, or other applicable legal requirement, including disclosures pursuant to a court order, subpoena, summons, or other properly executed compulsory process.
(7) Any other category of operational use specified by the Commission by regulation that is consistent with the purposes of this Act.

[Mike: The FTC is given power to enforce or exempt as it sees fit. When thinking about how that will play out, look at the 700+ businesses and unions (campaign contributors) now exempted from Obamacare. On the regulatory farm, not all the animals are equal.]

SEC. 4. ADDITIONAL FTC AUTHORITY.  In implementing and enforcing the regulations prescribed under section 3, the Commission shall—
(1) have the authority to prescribe such regulations as may be necessary to carry out the purposes  of this Act in accordance with section 553 of title 5,  United States Code;
(2) monitor for risks to consumers in the provision of products and services, including the development of new hardware or software designed to limit, restrict, or circumvent the ability of a consumer to control the collection and use of the covered infor- mation of such consumer, as set forth in the regula- tions prescribed under section 3; (3) perform random audits of covered entities, including Internet browsing for investigative pur- poses, to ensure compliance with the regulations issued under section 3; (4) assess consumers’ understanding of the risks posed by the tracking of a consumer’s Internet activity and the collection and use of covered infor- mation relating to a consumer; and (5) make available to the public at least 1 report of significant findings of the monitoring re- quired by this section in each calendar year after the  date on which final regulations are issued pursuant  to section 3(a).

[Mike: Bet the FTC just hates things like this. Mandate – regulate the Internet. Like giving the Commission a paper cup and telling it to empty the Gulf of Mexico with it…and then write progress reports too.]

SEC. 5. ENFORCEMENT BY STATE ATTORNEYS GENERAL.
(a) CIVIL ACTION.—In any case in which the Attorney General of a State, or an official or agency of a State,  has reason to believe that an interest of the residents of  that State has been or is threatened or adversely affected  by any person who violates the regulations prescribed  under section 3, the attorney general, official, or agency  of the State, as parens patriae, may bring a civil action  on behalf of the residents of the State in an appropriate  district court of the United States—
(1) to enjoin further violation of the regulations  prescribed under section 3 by the defendant;
(2) to compel compliance with the regulations  prescribed under section 3; or
(3) to obtain civil penalties for violations of the  regulations prescribed under section 3 in the amount  determined under subsection (b).
(b) CIVIL PENALTIES.—
(1) CALCULATION.—For purposes of calculating  the civil penalties that may be obtained under subsection (a)(3), the amount determined under this  paragraph is the amount calculated by multiplying  the number of days that a covered entity is not in  compliance with the regulations prescribed under section 3 by an amount not to exceed $11,000.
(2) ADJUSTMENT FOR INFLATION.—Beginning  on the date that the Consumer Price Index for All  Urban Consumers is first published by the Bureau  of Labor Statistics that is after 1 year after the date  of enactment of this Act, and each year thereafter,  the amount specified in paragraph (1) shall be increased by the percentage increase in the Consumer Price Index published on that date from the Con- sumer Price Index published the previous year. (3) M AXIMUM TOTAL LIABILITY.—Notwith- standing the number of actions which may be brought against a person under this section the maximum civil penalty for which any person may be liable under this section shall not exceed $5,000,000 for any related series of violations of the regulations prescribed under section 3.

(c) INTERVENTION BY THE FTC.— (1) NOTICE AND INTERVENTION.—The State shall provide prior written notice of any action under subsection (a) to the Commission and provide the Commission with a copy of its complaint, except in any case in which such prior notice is not feasible, in which case the State shall serve such notice immediately upon instituting such action. The Commission shall have the right—
(A) to intervene in the action;
(B) upon so intervening, to be heard on all  matters arising therein; and

(C) to file petitions of appeal.
(2) LIMITATION ON STATE ACTION WHILE FEDERAL ACTION IS PENDING.—If the Commission has  instituted a civil action for violation of the regula- tions prescribed under section 3, no attorney general of a State, or official, or agency of a State, may bring an action under this section during the pendency of that action against any defendant named in the complaint of the Commission for any violation of the regulations issued under this Act alleged in the complaint.

[Mike: The FTC gets first bite at the enforcement apple. However, if the Federal Trade Commission doesn’t want the case, a State Attorney General or similar state officer can pursue an Internet business under this proposed law. From an enforcement standpoint, if you think this proposed legislation is a good idea, letting the states in on the action makes sense.]

SEC. 6. EFFECT ON OTHER LAWS. (a) OTHER AUTHORITY OF FEDERAL TRADE COM- MISSION.—Nothing in this Act shall be construed to limit or affect in any way the Commission’s authority to bring enforcement actions or take any other measure under the Federal Trade Commission Act (15 U.S.C. 41 et seq.) or any other provision of law. (b) STATE LAW.—The regulations prescribed under section 3 shall not annul, alter, affect, or exempt any person subject to the provisions of such regulations from complying with the law of any State except to the extent that  such law is inconsistent with any provision of such regulations, and then only to the extent of the inconsistency.  For purposes of this subsection, a State statute, regulation, order, or interpretation is not inconsistent with the  provisions of the regulations prescribed under section 3  if the protection such statute, regulation, order, or interpretation affords any person is greater than the protection  provided under the regulations prescribed under section 3.

Of course, talk with your Internet lawyer if you have any questions or concerns about existing ecommerce laws or the proposed Do Not Track Me Online Act of 2011.

To your online success!

-Mike the Internet lawyer

Author Mike Young, Esq.

Mike Young has been practicing business and technology law since 1994 and is an angel investor in startups. He's been an entrepreneur since 1988. To get legal help from Attorney Young, click here now or call 214-546-4247 to schedule a phone consultation.

More posts by Mike Young, Esq.