Major Internet privacy legislation was unveiled today (PDF) by Rep. Rick Boucher (D-VA) and Rep. Cliff Stearns (R-FL). Under the bill, companies would be forbidden from using your cell phone's geolocation information without your consent, and the same goes for information on your race, religious beliefs, or sexual orientation. For most other information, a simple opt-out will keep that data—even data already collected—from being used.

Boucher chairs the House Subcommittee on Communications, Technology, and the Internet, and he has dealt with Internet issues for years (he was a driving force behind the doomed attempt to patch the worst parts of the DMCA, as well); Stearns is the ranking member on the committee. The two today released a "discussion draft" of their new privacy legislation in order to gauge Congressional and public opinion on its ideas.

Covered and sensitive



The bill isn't particularly long, and compared to laws in other countries, it's not particularly strict. But it does provide a decent privacy baseline in the US, providing limited protection for "covered information" and much tougher protection for "sensitive information."

The bill makes a key distinction between the two kinds of data: covered information collection is "opt-out," while sensitive information collection would become "opt-in" only.

According to the bill, covered information includes:

The first name or initial and last name

A postal address

A telephone or fax number

An e-mail address

Unique biometric data, including a fingerprint or retina scan

A Social Security number, tax identification number, passport number, driver's license number, or any other government-issued identification number

A financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account

Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used to collect, store, or identify information about a specific individual or a computer

Companies and websites that disclose their data collection practices can harvest this data on the assumption that, by using the site, one has agreed to such collection. But they are required to provide an opt-out option that would stop all such data collection and prevent the company from using even previously acquired data.

Sensitive information can't even be collected and stored in the first place without an explicit opt-in assent. The bill defines sensitive information as:

Medical records, including medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional

Race or ethnicity

Religious beliefs

Sexual orientation

Financial records and other financial information associated with a financial account, including balances and other financial information

Precise geolocation information

When it comes to that last one, the bill states that "a user’s express opt-in consent to an application provider that relies on a platform offered by a commercial mobile service provider shall satisfy the requirements of this subsection."

Aggregate and anonymous information can be collected without any privacy policy at all.

Salvation or devastation?

The draft bill has only been out for a few hours, and its opponents are already issuing a call to arms. The Progress & Freedom Foundation warns that "policymakers could unintentionally devastate the 'free' Internet as we know it. Because the Digital Economy is fueled by advertising and data collection, a 'privacy industrial policy' for the Internet would diminish consumer choice in ad-supported content and services, raise prices, quash digital innovation, and hurt online speech platforms enjoyed by Internet users worldwide."

Groups like the Center for Democracy & Technology have a different take. "It has been almost a decade since Congress last considered consumer privacy legislation," said CDT President Leslie Harris. "Since that time, commercial collection and use of consumer information both online and off has increased exponentially. Consumers deserve comprehensive privacy protection. Today’s release of the staff discussion draft of the Boucher-Stearns consumer privacy bill is the first step to achieving this important goal."

As for Boucher, he sees the bill as ultimately pro-business. "Our goal is to encourage greater levels of electronic commerce by providing to Internet users the assurance that their experience online will be more secure," he said in a statement. "That greater sense of privacy protection will be particularly important in encouraging the trend toward cloud computing.

"Online advertising supports much of the commercial content, applications and services that are available on the Internet today without charge, and this legislation will not disrupt this well established and successful business model. It simply extends to consumers important baseline privacy protections."