Federal Legislation and Online Privacy Policies

Many website and blog operators will need to modify their privacy policies.

In a previous article, I made the point that due to variations in evolving state laws requiring online privacy policies, the U.S. needs a standard set of requirements at the federal level (see previous post: Are Online Privacy Policies Required by Law? dated 10/25/2010). Without a federal standard, online entrepreneurs were going to have a difficult, if not impossible, time complying with privacy rules.

As the saying goes… be careful what you wish for!

As of this writing (10 months later), 16 online privacy related bills have been introduced in Congress. Some of these bills overlap and will not be signed into law, but all of them, to some degree, deal with *PII management and disclosure practices for certain website and blog operators. So it will be interesting to see what shakes out.

(*PII is an acronym for personally-identifiable information. For more information, see previous post: What is PII?)

If you are an online entrepreneur, this is a very relevant issue. It’s not a question of whether you will need to makes changes to your privacy policy and internal practices, it’s a matter of when and how significant they will need to be.

16 Privacy Bills Introduced in Congress so Far This Year

Table 1, below, is a list of bills introduced in Congress so far in 2011. It includes links to THOMAS, the database of U.S. Congress legislative information. If you would like to read details of a particular bill, click the bill number in the LINK column and that will take you to a Bill Summary & Status screen. In the table in that screen, click Text of Legislation in the second column, first row.

U.S. Federal Legislation Proposed so far in 2011
affecting Online Privacy Policies



1Best Practices Act


HR 611


Do Not Track Me Online Act


HR 654


Financial Information Privacy Act of 2011


HR 653


Commercial Privacy Bill of Rights Act of 2011


S 799


Consumer Privacy Act of 2011


HR 1528


Data Accountability and Trust Act


HR 1707


Do Not Track Me Online Act of 2011


S 913


Data Accountability and Trust Act (DATA) of 2011


HR 1841


Do Not Track Kids Act of 2011


HR 1895


Electronic Communications Privacy Act Amendments Act of 2011


S 1011


Personal Data Privacy and Security Act of 2011


S 1151


Secure and Fortify Electronic Data Act


HR Dis


Geolocation Privacy and Surveillance Act


HR 2168


Geolocation Privacy and Surveillance Act


S 1212


Data Security and Breach Notification


S 1207


Location Privacy Protection Act of 2011


S 1223


– Table 1 –

Who Will be Affected

Online entrepreneurs with small operations are not targeted by some of these bills based on current language. Ultimately, it depends on what gets negotiated in Congress and signed into law.

Senate bill 799 (line 4 in table 1), for example, mandates a privacy policy only if PII of more than 5,000 individuals is collected during any consecutive 12-month period.

Senate bill 1151 (line 11 in the table 1) deals with data brokers, which it defines as:

A business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals for the purposes of providing such information to non-affiliated third parties on an interstate basis.

Sample of What is Coming

If something like Senate bill 799 becomes law, here is what can be expected. Collectors of PII that meet the volume threshold (mentioned above) will be legally required to:

1.     Implement security measures to protect the PII they collect and maintain.

2.     Provide clear notice regarding the collection practices and purpose of such collection.

3.     Provide the ability to opt-in for the collection of sensitive PII. (See previous post for definition of sensitive PII: What is PII? section I, Examples of PII.)

4.     Provide the ability for an individual to opt-out of any information collection that is unauthorized by the Act. The Act specifically requires “robust and clear notice” about the ability to opt-out of the collection of information for the purpose of transferring it to third parties for behavioral advertising.

5.     Provide access and control to individuals to either access and correct their information, or to request cessation of its use and distribution.

6.     Limit data collected – Collect only as much information as necessary to process or enforce a transaction or deliver a service.

7.     Limit retention periods – Retain PII for only a reasonable period of time.

8.     Bind third parties by to comply with the Act – Collectors must bind third parties by contract to ensure that any individual information transferred to the third party by the collector will only be used or maintained in accordance with the Commercial Bill of Rights Act requirements.

9.     Make efforts to ensure PII is accurate The bill requires the collector to attempt to establish and maintain reasonable procedures to ensure that information is accurate.

The Time Has Come

The number and size of PII breaches in recent years is nothing short of unbelievable. In just the past few months alone, the Sony PlayStation Network (PSN) was hacked and over 100 million customer accounts were compromised. Epsilon, the world’s largest permission-based email marketer had a massive breach of customer lists of its major brand clients. And Citigroup recently reported that a cyber attack may have affected over 360,000 of its customers. If you’ve been getting your daily dose of business news, you know the list goes on and on.

While federal standards for PII handling will not eliminate the possibility of PII breaches, a universal set of requirements (for the U.S. at least) makes more sense than having individual states draft inconsistent mandates that only confuse and frustrate online businesses.

What are your thoughts? Is federal oversight of online privacy practices a good thing? Feel free to leave a comment. Your email address and any other PII you may include will be handled securely and never sold, leased, donated, or otherwise shared with any third parties. 🙂



  1. Posted 12 years ago

    Helpful information. Thanks for the outline of a complex issue entrepreneurs must deal with.

Leave a Comment

Comments are moderated so they do not appear immediately. Please be relevant to the topic covered in the article. Off-topic comments and solicitations are treated as spam. Legitimate, relevant comments are approved swiftly. Thanks for stopping by!

Your email address will NOT be published.

Please note - After submitting your comment using the above "Submit Comment" button, your comment will show above the comment form flagged as "awaiting moderation." You may need to scroll up to see it. Please do not submit your comment a second time. Thank you.

Render Visions Consulting