To be clear, the bill's draft will have to get through two congressional chambers that are hardly filled with people for whom E-Commerce privacy legislation is a priority. Even if it somehow makes it through, the bill will undergo major wording changes. That all said, it's the most concrete federal E-Commerce privacy draft we've seen, and it's worth exploring if for no other reason than to make retail IT execs very afraid.
The draft bill comes to us courtesy of Rep. Rich Boucher, a Virginia Democrat who is chairman of the House subcommittee on Communications, Technology and the Internet, and Rep. Cliff Stearns, a Florida Republican.
A key provision of the proposed bill (nerdy detail: This is a draft of the legislation circulated for comment. It has yet to even be officially introduced) is to restrict information given to a retailer from being distributed to an outside business, such as a marketing firm that sends spam or junkmail.
That's politically safe territory. But the wording is sufficiently vague to raise other concerns. For instance: "An individual has a reasonable expectation that a company will not share that person's information with unrelated third parties," the proposed bill says. "If a company wants to share an individual's personally identifiable information with unaffiliated third parties other than for an operational or transactional purpose, the individual must grant affirmative permission for that sharing."
The problem is the bill doesn't define "unaffiliated parties." Presumably, that excludes payment processors. But what about mobile partners? Or firms that might access CRM databases to determine customized homepages? Or even custom comment services, which might need to identify the customer to post relevant user-selected images?
Indeed, the bill presents somewhat of a logical paradox. Its requirement that consumers be able to declare themselves off-limits for certain data retention in and of itself potentially forces a third party to need to identify each consumer to check a permissions file.
The bill, by the way, doesn't require the deleteion of such confidential data, merely that it not be used, other than in aggregate. That stance certainly courts trouble. It's like telling a hungry 3-year-old he's allowed to have the candy, open the package and smell the candy, but he's expected to not eat the candy.
The bill is trying to do what's right, but the world of E-Commerce is a little more complicated than the bill assumes. Consider this message: "The consent requirements of this subsection shall not apply to the collection, use or disclosure of covered information for a transactional purpose or an operational purpose, but shall apply to the collection by a covered entity of covered information for marketing, advertising or selling, or any use of or disclosure of covered information to an unaffiliated party for such purposes."
That would be fine, were it not for the fact that many operational aspects of a major E-Commerce site are indeed intertwined with marketing and certainly with selling. The entire site, by definition, is one big attempt at selling. Is site customization operational or, given that it's trying to push certain products, is it marketing?
What about this statement: "If an individual declines consent at any time subsequent to the initial collection of covered information, the covered entity may not collect covered information from the individual or use covered information previously collected."
This bill is, in effect, placing a retroactive requirement on retailers. Given that some of this private data might have been collected and distributed four years ago, how easy will it be to locate and remove all that retroactively forbidden fruit?