It seems like decades ago we started hearing about comprehensive privacy legislation. Well, it was. In the meantime, we've had a new FCRA, GLBA, HIPAA, COPPA, CAN-SPAM and more state laws than I can count. And now we have a new bill. No, wait, it's a "discussion draft." OK, let's talk about that.
Rep. Rick Boucher (D-VA), Chairman, and Rep. Cliff Stearns (R-FL), Ranking Member of the House Energy and Commerce Committee's Subcommittee on Communications, Technology, and the Internet, released the discussion draft bill (which doesn't have a name as of press time) on May 4, 2010. Rep. Bobby Rush introduced a similar bill in the House on July 19, 2010. Privacy watch groups, businesses and industry trade associations have submitted their comments on the senate bill. And, of course, no one is happy. The good news is that Rep. Boucher and Rep. Stearns seem committed to listening to all sides before moving forward.
The question each of us as marketers should be asking is, "How will this affect me?" First, if you haven't read the discussion draft, you should. You can find an excellent summary at the Direct Marketing Association website. While you're there, you also should read the comments that the DMA submitted on your behalf. This is a good place to start evaluating the impact to your business.
My primary concern is that this bill is not about marketing, nor is it about online data use, but it is clear these were driving forces behind the bill. Its purpose is "to require notice to and consent of an individual prior to the collection and disclosure of certain personal information relating to that individual." This bill is about data collection on individuals in all its forms—online/offline, intentional/inferred and valuable/worthless. Instead of providing notice and choice about our marketing practices, we will be providing notice and opt-out before ever collecting data to be used for marketing. If we plan to transfer the data to a third party, the consumer must opt-in.
For many marketers, our systems and processes have evolved over time and are separate for online and offline marketing. Do we even know all the places data collection occurs? Maybe we built our online systems with the transparency and choice expected in the channel. Perhaps we've established sophisticated preference options for consumers online. It appears we are much better prepared to deal with these requirements in an online world. But how will we migrate these sophisticated options to a less sophisticated channel? How do you provide notice and opt-out on a telemarketing call? How will nonprofits retrofit their systems?
In the meantime, a data security bill (H.R. 2221—The Data Accountability and Trust Act) has already passed out of the House and a similar Senate bill (S. 1490—The Personal Data Privacy and Security Act) has passed out of committee. These will bring us closer to a national standard on consumer data breach notification. That's not all bad. A single national data breach notification standard, if reasonable, is preferable to 50 different state requirements. Unfortunately, there are some other requirements of real concern. In S. 1490, there is a requirement for data brokers to allow access and correction to data they maintain. While this has become the norm for data used to make substantive decisions on credit or healthcare, making this a requirement for data used in marketing is startling. Isn't this why we have opt-out?
There is still much work to do on these bills, and the devil is in the details. In the meantime, marketers should get ready. It's time to audit our data collection practices. What do we have? What do we need? How can we incorporate notice and opt-out into our collection process to keep data flows alive? Is all our consumer data as secure as it should be? Do we have policies and procedures in place for data breach notification? At least then we'll know the impact of the legislation when it does get here. And, these bills are still changing; be diligent in tracking their progress, and your ability to respond. A privacy bill is coming. Are you ready?
Gwenn Freeman is a privacy strategist for KnowledgeBase Marketing, a marketing solutions provider based in Richardson, Texas. She has addressed privacy issues for 20 years, including serving on the DMA's Ethics Policy Committee and the Consumer Advisory Council at the Federal Reserve Board. She can be reached at email@example.com.