Non-Profits May Soon Face A Privacy Bill Like No Other

Amidst the recent privacy wave everyone’s been riding, there’s been new legislation proposed that nonprofit-organizations will want to take a look at. Titled The Commercial Privacy Bill of Rights Act of 2011, Congressmen (and women) are seeking to put in place information practice protections that provide consumers greater control over their personal information. Largely in response to the recent Epsilon email breach, and a paper delivered by the Department of Commerce last year, the bill seeks to incorporate many of the protections discussed in the DOC paper. The bill also suggests some recommendations made in a FTC paper last year as well (which are thoroughly discussed by yours truly in my previous posts).

Who Does The Bill Cover?

The interesting thing about this bill is that it covers both online and offline businesses. Essentially, anyone that “collects, uses, transfers, or maintains personal information concerning more than 5,000 individuals a year” would be covered. Which is interesting seeing as how most recent privacy recommendations have only addressed information exchanged over the internet. Even more interesting, non-profit organizations are specifically listed in the organizations covered (hint, hint). And for those that don’t follow the law, proposed penalties would be from 16,500 to 3 million clams.

Small organizations, don’t breathe a sigh of relief yet. That 5,000 requirement includes employees (both present and former). But I’m curious, and will look into, whether that number includes past, current and future volunteers as well. And what of those that sign up for news-letters and updates? It seems only natural that it would, and if so, that 5,000 could be reached pretty quickly. The definition of consumer is currently very loose and I wouldn’t be surprised if it retains its broad application.

What Type of Personal Information is Included?

The bill covers all personally identifiable information. That means names, addresses, email addresses, telephone numbers, credit card numbers, birth date, geographic location, any identifying information or any other “unique, persistent identifier”. And get this, any information that may not have qualified as personally identifiable information (PII) automatically becomes PII when combined with PII. For example, that means any information sent to you in an email that contains PII could potentially become PII and subject to this bill. Yep.

What Will I Be Required To Do?

Amongst many things, those covered will be required to provide consumers information about information collection/storage policies and provide these policies on some medium easily accessed by those from whom information may be collected. Logically, that means organizations will be required to enact some sort of practices for staff, volunteers, board members and any other agents to adhere to as well as some type of accountability policy for managerial staff. Organizations would also have to provide opt-in/opt-out options to consumers as well as monitor the use of PII by third party’s. Opt-in regulations would be more stringent concerning health or religious affiliation information (both of which will definitely affect non-profit organizations).

Dear Lord, What Next?!!!!

Calm down. Many states already have laws in place very similar to this.  And its requirements are not much different than what is already seen in the terms of conditions for  many non-profit websites, particularly those allowing for commerce transactions to take place over the internet. However, the fact that this bill applies both online and offline, its hefty fines, and the fact that it would supersede most state laws, shows that Congress is clearly trying to get a point across. Moreover, the collection of personal information has not really been enforced, particularly to this extent. But if its any consolation, there does seem to be a concerted effort in the bill to provide guidance and resources to smaller organizations.

The Privacy and Information Security Law Blog, and Chronicle of Data Protection have good discussions on the DOC paper last year. The Wall Street Journal has video of the press-conference and Senator Kerry’s website has more information. The Chronicle of Data Protection also covers the bill pretty well.