For the past month, online companies have considered the privacy legislation discussion draft from Rep. Boucher and Stearns. The legislation is a broad attempt to set privacy defaults for the collection, use and sharing of information on the Internet.
Last Friday, NetChoice submitted comments to Rep. Boucher and Stearns.
While there are some aspects of the bill to like (eg. no private right of action), we’re worried that the bill does too much, too soon, to set opt-in or opt-out defaults. We explored in a previous post why flexibility in setting user defaults is important for continued social network innovation.
Fortunately, open and thoughtful consideration of this matter can continue without undue pressures to find a quick fix for privacy. Because while there have been state legislative proposals on privacy, there is not now a patchwork of state laws creating unworkable compliance challenges for interstate e-commerce. In other words, we can take our time and get this right.
Our comments discuss how the draft bill would interfere with four commonplace scenarios for collecting and using information. Here’s one of ‘em:
- The Operational Purpose exemption in this draft legislation is too narrow, in that it does not permit use of covered information for marketing or advertising to existing customers.
Case 1: A consumer buys a new washer and dryer and writes her email address on a product registration card. That’s an Operational Purpose, so no consent is required to collect the info. But if the retailer later wants to send an email offering an extended service contract, he has to first obtain consent to send the email, since that’s a use of covered information for marketing purposes.
Additional consent should not be required when a business uses covered information to do follow-up marketing to customers with whom it has already established a business relationship. Customers expect their vendors and suppliers to offer upgrades, options, service contracts, etc. Congress has recognized this consumer expectation in past legislation, which is why it built important exceptions in the CAN-SPAM Act for “relationship messages” to contact customers in an existing business relationship.
But the Operational Purpose exemption is denied if the business uses any covered information for advertising or marketing — to its own customers. This would force businesses to first request consent from their customer before contacting them with information about additional services or products. A low response rate to these permission requests will mean that fewer customers will learn about products and services they value, and businesses will have to spend more to market to existing customers.
Read the other three here.