On May 4, 2010, Congressmen Rick Boucher (D-VA) and Cliff Stearns (R-FL) introduced draft legislation designed to protect the privacy of personal information both on the Internet and in offline contexts.

The legislation would apply to any “covered entity,” which is defined as “a person engaged in interstate commerce that collects data containing covered information.”  The term “covered information” is very broad and includes, but is not limited to, an individual’s first name or initial and last name, a postal address, a telephone number or an email address.  Government agencies and entities that collect covered information from fewer than 5,000 individuals in any 12-month period (and do not collect sensitive information) would not be considered “covered entities” for purposes of the law.

Among other things, covered entities would be required to:

  • provide an individual with a privacy notice and an opportunity to opt-out before they may collect, use or disclose covered information from or about that individual;
  • obtain the opt-in consent of individuals before collecting sensitive information such as medical or financial records;
  • obtain the opt-in consent of individuals before sharing covered information with unaffiliated parties; and
  • establish, implement and maintain appropriate administrative, technical and physical safeguards to protect covered information.

The draft legislation gives enforcement authority to the Federal Trade Commission, which may issue regulations to implement the measure, and allows state attorneys general and state consumer protection agencies to bring civil actions on behalf of their states’ residents against anyone who violates the law.

The bill will be formally introduced following a one-month comment period.