On Tuesday, Senators John McCain and John Kerry introduced the long-awaited Commercial Privacy Bill of Rights, a sweeping bill that covers online and offline data collection, retention, use, and dissemination practices. Unfortunately, the bill may fall short of what’s needed to protect our privacy.This bill fails to address many of the issues surrounding pervasive online tracking that have been raised by privacy advocates, explored in the Wall Street Journal’s What They Know series, and highlighted by the FTC’s recent Privacy Report. The bill’s most glaring defect is its emphasis on regulation of information use and sharing, rather than on the collection of data in the first place. For example, the bill would allow a user to opt out of third-party ad targeting based on tracking – but not third-party tracking. The consumer choice provisions in Section 202 apply only to data use — not collection — unless that data is both “sensitive” and “personally identifiable.” Moreover, Part III of the bill, which imposes lax limits on collection, cannot be enforced by state Attorneys General. This is backwards: the privacy risk is not in consumers seeing targeted advertisements, but in the unchecked accumulation and storage of data about consumers’ online activities. Collecting and retaining data on consumers can create a rich repository of information – which leaves consumer data vulnerable to a data breach as well as creating an unnecessary enticement for government investigators, civil litigants and even malicious hackers.
https://www.eff.org/deeplinks/2011/04/well-meaning-privacy-bill-rights-could-codify