Six Lines

▶ Rush Introduces Privacy Bill

Posted by Aaron Massey on 20 Jul 2010.

Illinois Rep. Bobby Rush introduced a privacy bill on Monday that is a must read for anyone interested in online privacy or technology policy. It is commonly called the “Best Practices Act.” You can find out more about the bill on WashingtonWatch.com or on OpenCongress.org. In addition, you can read a memo about the bill here (pdf). Finally, a hearing will be held Thursday afternoon about this bill.

The key take-aways are as follows: (1) This bill is unlikely to pass this term, but it’s likely that some privacy bill will be passed before the next Presidential election. Thus, this is an important part of that process. (2) The bill would setup an opt-in regime for some information and an opt-out regime for other information. The information that triggers the opt-in regime is intended to be more sensitive than the opt-out information, but there’s some debate about this. (3) This is essentially the same text as the draft released in May that privacy groups didn’t think went far enough and industry groups thought went too far.

I’m concerned that this bill fundamentally misses a key problem with online privacy. Consider this quote from the briefing memo:

Section 102 requires a covered entity to provide individuals with concise, meaningful, timely, prominent, and easy-to-understand notice or notices.

Basically, this assumes the same model we’ve had for quite some time. It sounds great in the ideal, but in reality it’s extremely hard to write a privacy policy that accurately describes complex technical practices while ensuring that everyone can read it. Organizations end up posting privacy notices written as clearly as possible and yet still almost completely incomprehensible to virtually everyone affected by them.

Consider what Rep. Barton said about Apple’s recent privacy policy update:

Added Barton: “While I applaud Apple for responding to our questions, I remain concerned about privacy policies that run on for pages and pages. I hope every business that uses information for advertising and marketing purposes will work toward more transparency and complete disclosure about their practices, as well as robust security for the information they hold.”

I just don’t think this is a route to future success. I know I’m not the only one.

Also, I agree with Jim Harper about this:

Jim Harper, an attorney at the free-market Cato Institute, points out that Rush’s bill explicitly does not apply to the government. “It’s unbelievable that they should so brazenly exempt the federal government,” he said. “The federal government should be covered, as should political parties and campaign committees. Congress should practice what it preaches.”

Disclosure: I worked with Jim Harper as a Google Policy Fellow at the Cato Institute during the summer of 2008.