A Few Comments About the Privacy Bill Draft

A draft of a privacy bill which will be presented later this year by Representative Rick Boucher (D-Virginia) and co-sponsored by Representative Cliff Stearns (R-Florida) has been released this week.

Companies and nonprofit organizations, and generally “any person” collecting personal information from at least 5,000 people, would have to follow new privacy rules. If the information collected is “sensitive”, that is, medical records, financial records, or precise geolocation information, even an entity collecting information from fewer than 5,000 people would have to follow these rules. They would not apply, however, to governments agencies. (p.2)

Geolocation information

“Precise geolocation information” would be considered sensitive information, just as your bank records, or your patient’s file. What makes it sensitive is not the nature of the information (after all, everybody around me knows my geolocation when I stand on line for my morning coffee and bagel), but the fact that the information is collected, kept, and linked with a name, at least with an avatar.

Companies are more and more interested in knowing their (future) customer’s locations. Facebook will soon propose a check-In’ app in partnership with McDonald’s. Customers will be able to “check in” at McDonald, and their location will then appear on their Facebook page, complete with an ad featuring a McDonald product. Such application is likely to allow McDonald to know precisely when and where any customer using the app has visited one of their restaurants.

Render anonymous

The bill defines “render anonymous” as “remov[ing] or obscure[ing] covered information such that the remaining information does not identity and there is no reasonable basis to believe that the information can be used to identify [an individual or a computer/device used by a particular user.]" (p.6)

If “reasonable basis” is the benchmark used to assess whether an information is indeed anonymous, one can safely contend that it should be "reasonable” to take into account the paper written by Arvind Narayanan and Vitaly Shmatikov which proves that even anonymous data can be “re-identified” by using a specific algorithm.

Covered entities privacy policies must include how they render information anonymous after the expiration of the retention period. (p. 10). As we know, merely deleting name and addresses is not enough to make data anonymous. Remember in 2006 when New York Times journalists were able to identify an AOL user just by analyzing her different queries, even though the data had been rendered "anonymous” by AOL.

Covered entities would now have to delete or render anonymous any covered information, no later than 18 months after the date the covered information is first collected. (p.17)

Privacy notice

If the information is collected on the Internet, a privacy policy must be posted on the entity's website “clearly and conspicuously” and must be accessible through a direct link from the Internet home page of the covered entity.”

However, if the information is collected manually, the privacy notice must be made available to the individual, in writing, before the information is collected
The privacy notice must include how the information is collected the specific purpose for which the information is collected, and how the information is stored.

It also must inform the individual on how the entity may merge, link or combined his information with other information about him that the entity could obtain from third parties. This is very important as merging information from different sources allows for the building of digital files about one individual.

The policy must inform the individual on how to contact the entity, but also must contain either a hyperlink or a toll-free number for contacting the Federal Trade Commission. (p.11) This is a good point, as many consumers still do not know the role the FTC plays in defending their rights.

Opt-in?

The individual would have the option to opt-out. The entity must inform him of this option. The individual then either consents or decline consent. (p.12)

“Either”… Who has the power to choose between either opting-in or opting-out? If it is the entity, it is likely that it will always prefer to only allow the individual to opt-out. Opting-is much more protective for consumers. So, why use “either”? I am not sure why, and this point deserves clarification.

Opt-out

If the entity chooses the opt-out option, it must be done through a “readily accessible opt-out mechanism.”(p. 17)