Letter to House Committee on Energy and Commerce Urging Enactment of Consumer Privacy Guarantees

September 1, 2009

The Honorable Henry A. Waxman
U.S. House of Representatives
House Committee on Energy and Commerce
2204 Rayburn House Office Building
Washington, DC 20515

The Honorable Joe Barton
U.S. House of Representatives
House Committee on Energy and Commerce
2109 Rayburn House Office Building
Washington, DC 20515

Dear Chairman Waxman and Ranking Member Barton:

The following organizations offer this letter and the attached primer for your careful consideration. These documents were developed with the goal of recommending solutions for and informing your Committee of important gaps in consumer privacy protection. While the recommendations are not exhaustive, they do represent areas of consensus among leading organizations concerned with consumer privacy.

Privacy is a fundamental right in the United States. For four decades, the foundation of U.S. privacy policies has been based on Fair Information Practices: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability.

Those principles ensure that individuals are able to control their personal information, help to protect human dignity, hold accountable organizations that collect personal data, promote good business practices, and limit the risk of identity theft. Developments in the digital age urgently require the application of Fair Information Practices to new business practices. Today, information from consumers is collected, compiled, and sold secretly, all done without reasonable safeguards.

Consumers increasingly rely on the Internet and other digital services for a wide range of transactions and services, many of which involve their most sensitive affairs, including health, financial, and other personal matters. Companies are now engaging in behavioral advertising, which involves the surreptitious monitoring of user activity, just one example of new ways that data is being collected and used.

In order to protect the interests of Americans, while maintaining robust online commerce, we recommend that Congress enact clear legislation to protect consumer privacy that implements Fair Information Practices. The legislation should include these main points (for more detailed recommendations, please see the attached Legislative Recommendations Primer):

• Individuals should be protected even if the information collected about them in behavioral tracking cannot be linked to their names, addresses, or other traditional “personally identifiable information,” as long as they can be distinguished as a particular computer user based on their profile.

• Sensitive information should not be collected or used for behavioral tracking or targeting. Sensitive information should be defined by the FTC and should include data about health, finances, ethnicity, race, sexual orientation, personal relationships and political activity.

• No behavioral data should be collected or used from children and adolescents under 18 to the extent that age can be inferred.

• There should be limits to the collection of both personal and behavioral data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the individual.

• Personal and behavioral data should be relevant to the purposes for which they are to be used.

• The purposes for which both personal and behavioral data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes and with any change of purpose of the data the individual must be alerted and given an option to refuse collection or use.

• Personal and behavioral data should not be disclosed, made available or otherwise used for purposes other than those specified in advance except: a) with the consent of the individual; or b) by the authority of law.

• Reasonable security safeguards against loss, unauthorized access, modification, disclosure and other risks should protect both personal and behavioral data.

• There should be a general policy of openness about developments, practices, uses and policies with respect to personal and behavioral data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

• An individual should have the right: a) to obtain from a business, or otherwise, confirmation of whether or not the business has data relating to him; b) to have communicated to him data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.

• Consumers should always be able to obtain their personal or behavioral data held by a business engaged in tracking or targeting.

• Every business involved in any behavioral tracking or targeting activity should be accountable for complying with the law and its own policies.

• Consumers should have the right of private action with liquidated damages; the appropriate protection by federal and state regulations and oversight; and the expectation that online data collection entities will engage in appropriate practices to ensure privacy protection (such as conducting independent audits and the appointment of a Chief Privacy Officer).

• Data collected for behavioral tracking or targeting should be protected by the constitutional safeguards that rule evidence collection.

• The FTC should establish a Behavioral Tracker Registry.

• There should be no preemption of state laws.

Sincerely,

Jeff Chester, Center for Digital Democracy
Susan Grant, Consumer Federation of America
Joel Kelsey, Consumers Union
John Simpson, Consumer Watchdog
Lee Tien, Electronic Frontier Foundation
Melissa Ngo, Privacy Lives
Beth Givens, Privacy Rights Clearinghouse
Evan Hendricks, Privacy Times
Amina Fazlullah, U.S. Public Interest Research Group
Pam Dixon, The World Privacy Forum

Cc: Reps. Boucher, Stearns, Rush and Radanovich