A new Senate bill introduced Tuesday would establish a "privacy bill of rights" to set ground rules for companies that collect consumer data, including personal data amassed on the Internet and then mined to target online advertising.
The bill, sponsored by Democrat John Kerry of Massachusetts and Republican John McCain of Arizona, would create a "baseline code of conduct" to govern the use of information that could identify a particular individual or a particular computer or smartphone. It would establish a framework for how this data could be collected, used, stored and shared with third parties such as online advertising networks.
The proposal aims to address growing unease about the vast amounts of personal information that companies are scooping up on the Internet - including Web browsing habits, smartphone locations and Facebook preferences. That data is seen as a goldmine for marketers, and consumers have little control over what happens to it.
"Companies can harvest our personal information online ... and they can do whatever they want ... and we have no legal right to stop it," Kerry said.
The bill comes several months after the Commerce Department called for the creation of a "privacy bill of rights" for Internet users, and after the Federal Trade Commission recommended the creation of a "Do Not Track" tool to let consumers stop or restrict advertisers from studying their online activity to target ads.
The new legislation would require companies to clearly disclose how they collect and use personal data - including whether they share it with online advertising networks - and give users the opportunity to turn off this data collection through an "opt-out" choice. It would also require companies to obtain explicit user consent before collecting sensitive personal information, such health or financial data.
In addition, the bill would require companies to establish strong data security protections for personal data, and to give users an opportunity to review and correct mistakes in their information. The rules, which would apply to any company that collects data on more than 5,000 people in a one-year period, would be enforced by the FTC and state attorneys general.
The bill also opens the door to a form of industry self-regulation by granting immunity from the law to companies that abide by voluntary privacy programs approved by the FTC. The bill directs the Commerce Department to help develop such programs.
Reaction to the new legislation was mixed.
A number of big technology companies, including Intel Corp., Hewlett-Packard Co., Microsoft Corp., eBay Inc., AT&T and Verizon Communications Inc., praised the bill.
"The proposed framework is a great start toward modernizing privacy rules for the Internet age," Verizon said in a statement.
But several privacy watchdog groups complained that it would not go far enough, in part because it would not mandate the creation of a "Do Not Track" tool.