EFF - On Tuesday, Senators John McCain and John Kerry introduced the long-awaited Commercial Privacy Bill of Rights, a sweeping bill that covers online and offline data collection, retention, use, and dissemination practices. Unfortunately, the bill may fall short of what’s needed to protect our privacy.
This bill fails to address many of the issues surrounding pervasive online tracking that have been raised by privacy advocates, explored in the Wall Street Journal’s What They Know series, and highlighted by the FTC’s recent Privacy Report. The bill’s most glaring defect is its emphasis on regulation of information use and sharing, rather than on the collection of data in the first place. For example, the bill would allow a user to opt out of third-party ad targeting based on tracking – but not third-party tracking. The consumer choice provisions in Section 202 apply only to data use—not collection—unless that data is both "sensitive" and "personally identifiable." Moreover, Part III of the bill, which imposes lax limits on collection, cannot be enforced by state Attorneys General. This is backwards: the privacy risk is not in consumers seeing targeted advertisements, but in the unchecked accumulation and storage of data about consumers’ online activities. Collecting and retaining data on consumers can create a rich repository of information – which leaves consumer data vulnerable to a data breach as well as creating an unnecessary enticement for government investigators, civil litigants and even malicious hackers.
The bill also fails to provide meaningful regulation of the more spurious current industry practices because its third-party opt-out wouldn’t cover any site a user has an account with. This "Facebook loophole" seems deliberately designed to preserve existing (and concerning) practices such as the Facebook "like" button, which can track an individual as she moves around the web by placing cookies on her computer even if she isn't logged into Facebook and doesn't click the "like" button. The proposed bill won’t help a user concerned about this practice. A user would surrender any right to opt out of being tracked by Facebook or Google simply by having an account with them. Read More
