Rep. Bobby Rush (D-IL-01) introduced H.R. 5777, a comprehensive U.S. data privacy bill, in late July 2010. It builds (and improves) upon a draft bill circulated by Rep. Rick Boucher (D-VA-09) and Rep. Cliff Stearns (R-FL-06) in May.
What is in this memo? This memo summarizes the bill and MRA’s biggest concerns with it as written. It then examines and analyzes each title and section in depth.
Stated purpose of the bill: “To foster transparency about the commercial use of personal information, provide consumers with meaningful choice about the collection, use, and disclosure of such information, and for other purposes.”
Summary of the bill: The Best Practices Act would require covered entities (most research companies and organizations) to: provide extensive notice of their data privacy practices to individuals; offer opt-out from collection or use of most information (not necessarily personally identifiable information); get participant’s “affirmative express consent” for collection or use of “sensitive” information (which includes some common demographic data) or for transfer of most information to a third party (except for service providers); make sure the data they keep is accurate; set up and maintain data security systems and processes; and conduct periodic privacy assessments. The Act would be enforced by the Federal Trade Commission (FTC), State Attorneys General (AGs), and private rights of action (lawsuits).
TABLE OF CONTENTS
2 MRA’s Biggest Concerns
4 Notice and Consent (Title I)
11 Accuracy, Access and Dispute Resolution (Title II)
13 Data Security, Data Minimization, and Accountability (Title III)
15 Safe Harbor and Self-Regulatory Choice Program (Title IV)
16 Exemptions (Title V), Enforcement (Title VI) and Effective Date
18 Definitions (Sec. 2)
[In 2011, Rep. Rush reintroduced the Best Practices Act as H.R. 611]