Top 10 Privacy Issues for 2011
Social media and location-based technologies top the list of concerns.
Shortly before Sens. John Kerry (D-Mass.) and John McCain (R-Ariz.) introduced their online privacy legislation, Lora Bentley spoke with Behnam Dayanim, co-chair of the Litigation and Regulatory Group at the law firm of Axinn Veltrop & Harkrider.
Bentley: There are different pieces of privacy legislation being discussed in Congress right now. Are they essentially the same?
Dayanim: There's the legislation introduced by Rep. Jackie Speier (D-Calif.), which has been called the "Do-Not-Track" bill. Then there's legislation that I don't think has been introduced yet, but has been widely discussed. It's being pushed by Sen. Kerry and Sen. McCain, and has been referred to as the "Privacy Bill of Rights."
They do differ in their details, but I think they're both designed to increase the level of protection afforded to personal information online, and to try to limit the use of personal information directly to the transaction in which the consumer is engaged. That's an oversimplification, but that's the fundamental idea.
Bentley: Do they differ in terms of what they consider personal information? In other words, what information is covered?
Dayanim: The definitions are not identical. How they differ and whether at the end of the day you'll end up with different coverage is unclear, in part, because they both rely on the Federal Trade Commission to flesh out the provisions.
But one example of a potential difference ... the Speier bill, I believe, says IP addresses are personal information. I don't believe the draft Kerry bill expressly says that. Now, the definition of personal information it uses could be interpreted to include that, but it doesn't expressly say that. The reason I note that one is that IP addresses have not been included in the definition of personal information in any statute currently on the books. So that would be an expansion of the law.
I think people have started to consider persistent IP addresses personal information anyway, so I don't know how controversial it would be, but it would be a broadening of the current statutory definition.
Bentley: Can you speak to how the do-not-track bill recently introduced in California will impact federal efforts to get online privacy laws on the books?
Dayanim: That's an interesting question because, in the privacy area, California has been a trailblazer or an outlier, depending on your perspective, in terms of its approach. It's been very aggressive in trying to address privacy issues. I'm not extremely familiar with the details of the California bill, although I am aware of it, but what happens to it will depend upon whether federal legislation passes.
For example, if the Kerry bill passes, it might pre-empt the California bill because it does have pre-emption provisions ... I don't think the Speier bill would pre-empt the California bill. It would work fairly similarly to the California bill.
On the other hand, if you see several states start passing legislation like this, I think you'll see Congress moving forward to try and pre-empt the field, to draft a single standard. If you get competing directions here it could create problems for companies that have a nationwide scope to their operations. That's always an issue with data privacy, but it's even more of an issue when you're talking about Internet-specific data privacy.