Blog Post

Kerry-McCain Privacy Bill: Opt-Outs Are In, Do Not Track Is Out

Several privacy bills have been or will be introduced in Congress this year, but observers are already saying the one proposed by Sens. John Kerry (D-MA) and John McCain (R-AZ) has the best chance of passing. It’s a bipartisan bill with support from several large corporations, including Microsoft (NSDQ: MSFT), Intel (NSDQ: INTC), and eBay (NSDQ: EBAY). It’s also not an online privacy bill-the bill’s provisions apply equally to companies on and off the internet.

Some parties have already come out in favor of or opposed to the bill. It isn’t surprising who-the Direct Marketing Association has said the bill may impose additional costs on business “without a showing that there is a market failure or a need to regulate.” Meanwhile, several consumer groups, including Consumer Watchdog and the Center for Digital Democracy, said the bill didn’t go far enough to curb bad corporate behavior.

Here’s what’s in the bill:

An opt-out for all information, and an opt-in for some sensitive information. Right now, offering opt-outs from things like online tracking is certainly considered a best practice by reputable companies, but it isn’t the law of the land. This bill would make it so. And companies would have to give “robust and clear” notice that the opt-out was available. For some sensitive information, consumers would have to affirmatively give their consent by opting in.

Data minimization. Companies should only be gathering the data they need to provide a transaction or services. If they hand off consumer information to third parties, there should be contracts binding what those third parties can do with the data.

Feds take the lead in enforcement. Both state attorneys general and the Federal Trade Commission would be able to enforce the new privacy rules. But if the FTC was interested in a case, they would take the lead; the state authorities would have to stand down. That will provide for more clarity in enforcement.

No private right of action. There aren’t many headlines about it, but privacy lawsuits-especially against internet companies-are blowing up right now. This bill would move a large amount of privacy enforcement into the hands of law enforcement, and deal a blow to the private-sector privacy plaintiffs’ bar.

“Safe Harbors” for companies that follow the rules. The FTC could approve nongovernmental organizations to oversee voluntary “safe harbor programs.” That would allow companies to exempt themselves from certain requirements of the bill-if they implemented other procedures that were just as good. These safe harbor programs would be developed by the Department of Commerce.

Here’s what didn’t make the cut:

Do Not Track provisions. Kerry told reporters today that a “robust” opt-out obviated the need for a specific Do Not Track requirement.

Limits on government. As CNET notes, the bill doesn’t apply to government agencies at all, including ones that collect vast amounts of personal information about citizens, like the IRS and the Social Security Administration.

»  More about on the bill (

»  Bill Summary [PDF] (

»  Bill Text [PDF] (

3 Responses to “Kerry-McCain Privacy Bill: Opt-Outs Are In, Do Not Track Is Out”