The Big Bad Boucher Bill, and Its Possible Exceptions

A discussion draft of a controversial bill to regulate behavioral targeting has been released by US Rep. Rick Boucher (D-VA). In summary, the bill addresses when and how marketers are allowed to place targeted ads based on user shopping habits and browser behavior. The bill would require advertisers to provide disclosure on how information is collected and with whom it is shared, give consumers the right to opt-out of behavioral targeting, and require consumer opt-in for marketers to collect “sensitive” information such as medical, financial, race, religious beliefs, sexual orientation and precise geo-location info.

This bill could significantly affect the ability of marketers to acquire customer acquisition lists because it would require opt-in consent for sharing most data with third parties. However, the bill does not regulate the disclosure of aggregate information, does not distinguish between PII and non-PII data, does not allow private right of action, and does not affect the current CAN-SPAM legislation. Boucher’s office is accepting comments on the bill until June 4, 2010 and many industry associations including the DMA are already speaking out against it. View articles from MediaPost and AdvertisingAge. As an ESPC member, LashBack was provided with a clear, comprehensive summary of the Boucher Bill draft. I have included the key points below and urge marketers to look into ESPC membership to gain access to future industry resources.

Data covered by the legislation includes:

First name or initial and last name
Postal address
Telephone or fax number
Email Address
Unique biometric data
SSN Tax ID or any government-issued ID number
Financial account numbers
Any unique persistent identifier such as a customer ID, anonymous profile, IP address or cookie ID that’s used to collect and store information about a specific individual
Preference profiles

The bill also addresses privacy policy requirements. The following list, provided in a summary to members by the ESPC, contains only the items not typically included in privacy policies today:

How an entity stores information covered in the bill
The length of time covered information is stored in identifiable form
How the entity disposes of or renders data anonymous after the expiration of the retention period
The choice and means the entity offers individuals to limit or prohibit the collection and disclosure of covered information
The means by and the extent to which the individual may obtain access to covered info that has been collected by the entity
A hyperlink to or a listing of the FTC’s online consumer complaint form or the toll-free phone number for the FTC’s Consumer Response Center

In the draft, several things would require consumer opt-in, including privacy policy changes, disclosing information to third parties, collection of the sensitive info covered earlier including geo-location info, and the collection of most individual behavioral targeting data. The bill also states that it would require opt-in for disclosing preference profiles, but it contains an exception. Individually managed preference profiles could be shared with third parties without opt-in if the marketer offers an opt-out, deletes or makes data anonymous after 18 months, includes a seal on ads that leads to information on how the ad was delivered and offers a way for the consumer to manage their preferences or opt-out of having a profile created altogether.

One interesting Boucher Bill provision is that ad networks would be given express consent to share preference profile information with third parties. This provision parallels legislation requiring advertisers and ad networks to share suppression file information with third parties. CAN-SPAM, which is centered around consumer opt-out, could explain the purpose behind sharing preference profiles with other marketers. If all third party marketers have access to a consumer’s preference profile, they are then able to adhere to it and avoid abusing consumer info with offers running through a network. Many email marketers are well aware of the dangers of sharing opt-out data with third parties. One should question whether sharing preference profile information would leave it open for potential abuse or serve to protect consumers if it is encrypted or properly protected. Contact the ESPC for more information on this important legislation.

Link to original post