New bill renews Internet privacy fight

American businesses weren't very happy about a privacy bill that Rep. Rick Boucher announced in May. The Interactive Advertising Bureau, for instance, said the Virginia Democrat's draft legislation would have "major" effects on legitimate business practices.

Well, if they disliked the Boucher bill, they're really going to loathe a new Democratic proposal that would slap even more extensive regulations on virtually any U.S. business.

A bill introduced Monday by Illinois Rep. Bobby Rush, chairman of a House consumer subcommittee, would levy fines of up to $5 million on businesses and individuals unless they abide by a complex set of new regulations to be administrated by the Federal Trade Commission. A hearing is scheduled for Thursday at 11 a.m. PT.

Rush's bill applies to any "person" or business that stores personal information, including someone's name, mailing address, e-mail address, and phone or tax number. That person must provide, if requested, "access to" information stored about others.

There is an exemption for small businesses, but not if they hold 15,000 or more names, e-mail addresses, or other personal information in their records. The language appears to be broad enough to apply to local retailers, small businessmen like plumbers and carpenters, and even individuals who have a sufficient quantity of e-mail addresses on their PCs.

The 55-page measure arrives as companies' data collection and use practices are being subjected to increasing scrutiny on Capitol Hill, in part because of high-profile privacy missteps by Facebook and Google that have attracted criticism from some politicians. While it's unlikely that Rush's proposal will become law this year--there's precious little legislative time left before the November elections--a favorable welcome would give it considerable momentum for 2011.

Rush has a history of interest in these topics. He previously signaled interest in examining Web companies' behavioral advertising practices and once threatened to hold hearings on the Google-DoubleClick merger, but never followed through. (He's also been a foe of Net neutrality laws.)

"The Rush bill establishes a forward looking and flexible framework for protecting consumer privacy," said Leslie Harris, president of the Center for Democracy and Technology, an advocacy group that receives funds from foundations and corporations. "It builds on the sound privacy principles set out in Rep. Boucher's earlier draft and provides the robust set of fair information practices that CDT has called for it."

Jim Harper, an attorney at the free-market Cato Institute, points out that Rush's bill explicitly does not apply to the government. "It's unbelievable that they should so brazenly exempt the federal government," he said. "The federal government should be covered, as should political parties and campaign committees. Congress should practice what it preaches."

Harper says it reminds him of James C. Scott's book, "Seeing Like A State." Governments and big corporations "radically simplify what they oversee to make it governable," he said. "In things like forestry and agriculture, this has had devastating environmental effects because ecosystems don't function when you eliminate the thousands of 'illegible' relationships and interactions. This is Seeing Like a State for the information economy.

Marc Rotenberg, director of the Electronic Privacy Information Center, said he had not yet had a chance to review the language. In general, he said, "I do think people should have enforceable privacy rights and I don't think the industry can police itself."

When Boucher circulated a draft of his proposal in early May, the reaction was nearly uniform: everyone hated it. Liberal special interest groups announced they were "disappointed" that Boucher didn't slap even more regulations on Internet businesses. Free-market think tanks panned it for going too far. And industry groups said it was far too broad as currently drafted.

In some ways, the new Rush bill is narrower. It treats "sensitive" information including race, religion, and ethnicity as different from standard personal information. It generally keeps opt-out as a default. It lifts the number of records required to trigger the regulations from 5,000 to 15,000. It holds out the possibility of an FTC-approved safe harbor for some businesses that self-regulate.

On the other hand, Rush hopes to mandate new "physical safeguards" that apply to anyone holding 15,000 or more records, encourage civil litigation over possible violations, and impose new regulations such as saying business "shall retain such data only as long as necessary to fulfill a legitimate business purpose or comply with a legal requirement."

The legislation is called the Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act, or BEST PRACTICES Act of 2010.