By Adam Snukal

Last week an unnamed bill was proposed in the United States House of Representatives designed to establish a system of checks and balances that would govern the manner in which consumer privacy data is both collected and used. 

The bill, sponsored and largely captained by Rep. Rick Boucher (D-VA) who currently serves as chairman of the House subcommittee on communications, technology and the Internet, is intended to represent a much-expected privacy proposal to regulate how marketers in the $25 billion online advertising industry collect, use and share information about consumers.  

The fundamental questions of both how and who is best suited to regulate consumer privacy on the Internet was weighed in quite heavily over 2009. 

Ambouched
In February 2009, the Federal Trade Commission supplemented its December 2007 ?Self-Regulatory Principles for Online Behavioral Advertising? report by highlighting the FTC?s voluntary best practices for the behavioral advertising industry. 

Then, in June 2009, with the goal of stemming further government speak on the issue of behavioral advertising and consumer privacy, a group of the nation's largest media and marketing trade associations released their ambitious seven self-regulatory principles to protect consumer privacy in ad-supported interactive media. 

The principles were essentially crafted to require advertisers and Web sites to clearly inform consumers about data collection practices, and enable them to exercise control over that information. 

Despite the industry?s best intentions and meaningful attempts to create a self-regulatory framework which even included self-enforcement and accountability mechanisms, many pundits felt even back in 2009 that if this administration?s legislative and administrative trends were any indication of what was to come, some form of federal legislation regulating consumer privacy collection was an inevitable reality.

True to form and word, Rep. Boucher has now introduced a somewhat uniquely concise set of definitions, categories and regulations to control the complex and dynamic universe of consumer data collection and use. 

Not surprisingly though, the proposed legislation has been panned from all sides, with privacy advocates arguing it is inadequate and pro-business groups saying it goes too far and will become to restrictive on measures that are already well established and trusted by consumers. 

The legislation, in its current form, would apply to any business or nonprofit organization that collects personal information from at least 5,000 individuals in a given year, and would apply to Web sites and offline operations alike. The law, as currently proposed, would not apply to government agencies.

Among other things, the proposed legislation would require companies to get a user?s explicit approval ? i.e., it would require users to ?opt in? ? before they ?knowingly collect? information about a person?s medical history, financial records, Social Security number, sexual orientation or precise geographic location.

Other information, such as that collected by Web cookies or session logs on corporate servers, would not require explicit consent, provided the company involved displays a ?clearly-written, understandable privacy policy that explains how information about individuals is collected, used and disclosed? and provided users can decline or ?opt out.?

Covered or sensitive?
For the most part, the bill appears to codify what is generally an accepted practice today by reputable online companies.

Interestingly, the proposed legislation distinguishes between covered information and sensitive information. 

?Covered information" is defined to include, among other things, names, postal and email addresses, fingerprints and retina scans, Social Security and credit card and debit card numbers, driver?s license information and Internet Protocol (IP) addresses. 

The bill says that an organization "shall not collect, use or disclose covered information from or about an individual for any purpose" unless it makes available a privacy notice and obtains the user's consent, though that consent can be implied. 

The privacy notice must be "posted clearly and conspicuously on the Web site" and it must be accessible from a link on the site's homepage.

The organization has to include, among other things, details of the purposes for which the data are collected and used; how it stores the information; how it may merge or link the information collected about the individual with other information about the individual that it may acquire from unaffiliated parties; how it may share the information; how long it will retain the information "in identifiable form" and how it will dispose of it. 

In addition, an organization shall be considered to have the individual's consent to the collection and use of covered information if it provides the privacy policy or statement and if the individual "either affirmatively grants consent for such collection and use or does not decline consent at the time such statement is presented to the individual.? 

Companies and Web sites that disclose their data collection practices can harvest this data on the assumption that, by using the site, one has agreed to such collection. But they are required to provide an opt-out option that would stop all such data collection and prevent the company from using even previously acquired data.

Sensitive information, in contrast, is defined to include medical records, race or ethnicity, religious beliefs, sexual orientation, financial records and precise geo-location information.

An organization must not collect or disclose sensitive information from or about an individual unless it makes available its privacy notice before collecting such data and obtains the individual's express affirmative consent.

What the foregoing boils down to is that covered information collection is "opt-out," while sensitive information collection would become "opt-in" only.

Location permission
In an attempt to address the manner in which much of digital advertising, whether on the Web or mobile, is largely managed, sold and displayed, the bill seeks to carve out an exception for the sharing of consumer data between Web sites and advertising networks. 

As an exception to the general rule requiring opt-in consent for third-party information sharing, opt-out consent would apply to sharing of an individual?s information with a third-party ad network if there is a clear, easy-to-find link to a Web page for the ad network that allows a person to edit his or her profile and, if he or she chooses, to opt out of having a profile, provided that the ad network does not share the individual?s information with anyone else.

The bill also requires each and every entity that falls subject to it, to ?establish reasonable procedures to assure the accuracy of the covered information it collects,? and to establish, implement and maintain ?administrative, technical and physical safeguards? to protect against threats and hazards to the security of such information and unauthorized access and misuse of such information. 

While the promulgation of specific requirements and guidelines pertaining to this provision of the bill are several steps away, assuming the bill, in some form, even becomes law, the requirements will seemingly vary based upon the size and complexity of the company which collects the consumer information, the nature of such company?s activities and the sensitivity of the covered information.

While most of the foregoing has equal application within the mobile marketing industry ? i.e., mobile advertising networks, WAP sites, calls to action that originate on Web sites ? the bill specifically addresses that any provider of a product or service which uses location-based information shall not disclose such information about a user?s specific location without his or her express opt-in consent. 

Consent that a user provides via or to a commercial mobile service provider would satisfy this requirement.

Finally, Rep. Boucher has decided the most appropriate regulatory agency charged with enforcing these privacy laws is the FTC ? again not all that surprising considering that the agency has had a voice in the discussion as far back as 2007. 

In fact, violations of these laws would be treated as an ?unfair and deceptive act or practice? under the Federal Trade Commission Act.

As the privacy debate continues to wage on with almost daily reports and articles about Facebook?s changes to its privacy policies and practices, the fate of the Google purchase of AdMob and the shifting of traditional advertising media mixes and budgets from television, radio and print to digital advertising of all kinds including Web, mobile and ITV, it will be keenly important for companies that play in the digital space to be keenly aware of these developments and even begin to consider shifting or crafting their operations, offerings and policies around these likely mandates.

Adam Snukal is senior associate at law firm Reed Smith's advertising technology and media group in New York. Reach him at .