Senators push for privacy, data security legislation

Web users need to have more control over what personal information is collected, a senator says

Democratic senators call for privacy and data security legislation.

Democratic members of a Senate committee promised Wednesday to push hard for new online privacy protections and for legislation that would require companies to put security monitoring tools on their networks.

It's time to stop online companies from collecting consumer data and using it to "their detriment," said Senator John "Jay" Rockefeller, chairman of the Senate Commerce, Science and Transportation Committee. "I want ordinary consumers to know what's being done with their personal information, and I want to give them the power to do something about that," he said during a hearing.

A series of recent data breaches at Sony's PlayStation Network, Citigroup and e-mail service provider Epsilon show the need for new regulations to help consumers control their personal information, said Rockefeller, a West Virginia Democrat.

Rockefeller called on the Senate to pass his Do-Not-Track Online Act, introduced in May, and the Data Security and Breach Notification Act, introduced by Rockefeller and Senator Mark Pryor, an Arkansas Democrat, on June 15.

The data security bill would require companies that have data breaches to notify affected customers, as more than 45 state laws now do. It would also require companies holding personal information to have security policies on the collection and use of the information, to have plans for identifying "reasonably foreseeable" vulnerabilities in their systems and to take corrective actions against the vulnerabilities.

The bill would also require companies to have a process for erasing personal data.

Basic security safeguards and breach notification are "a cost of doing business in the new world," Rockefeller said.

The do-not-track bill requires online companies to honor consumer requests to opt out of online tracking efforts. The bill would allow the U.S. Federal Trade Commission to take enforcement action against companies that fail to honor the do-not-track requests.

The goal of the do-no-track legislation is to make it easy for Web users to stop all companies from tracking them online, Rockefeller said. "One click, no information collected," he said.

A comprehensive approach to privacy and data security is needed, added Senator John Kerry, a Massachusetts Democrat. "What we're talking about today is the ability of people to have some impact on the way digital profiles about them are compiled, and then sliced and diced and traded in a marketplace," he said.

Kerry and Senator John McCain, an Arizona Republican, introduced the Commercial Privacy Bill of Rights Act in April. Their bill would require Web-based businesses that collect consumer information to give clear notice about the data collection and allow consumers to opt out.

There's a growing bipartisan call for privacy legislation, Kerry said.

But others at the hearing questioned the need for some privacy legislation. The Senate should consider data breach notification legislation, but there doesn't seem to be a consensus about the need for new privacy rules, said Senator Patrick Toomey, a Pennsylvania Republican. Toomey questioned whether consumers have been harmed by online data collection.

"We need to thoroughly examine this issue and make sure we don't apply a solution in search of a problem," Toomey said. "In a world where millions of people voluntarily share very personal information on websites like Facebook and Twitter on a daily basis, I'm not sure exactly what consumer expectations are when it comes to privacy, but I am pretty sure different consumers have different expectations."

New regulations could hurt Internet businesses and could reduce the number of free online services consumers get, Toomey added, echoing concerns from some Internet companies about do-not-track rules. "I urge that we proceed with caution," he said.

There have been few studies about the cost of new privacy rules, added Thomas Lenard, president of the Technology Policy Institute, a free-market think tank. A do-no-track rule could increase consumer annoyance by forcing websites to deliver them unwanted advertisements instead of ads targeted to their interests, he said.

Without new studies, there's no way to know whether the privacy proposals "will improve consumer welfare or not," he said.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies