PLEASE NOTE: Our website uses a technology called cookies to improve your experience. One of the cookies we use is essential for parts of the site to operate and may have already been set. You may delete and block all cookies from this site, but parts of the site will not work. For more information see our privacy policy.

To accept cookies from this site (and hide this notice) please check this box and click the continue button.

HomeThe IssuesOur ServicesOur TeamPublicationsTestimonialsNewsletterContact us

On the case - March 2007

March 2007

If Data Protection legislation is introduced in the
USA, what will it look like?


Last month US Senators Leahy and Specter introduced a revised version of their Personal Data Privacy and Security Act Of 2005 which would go a long way to providing protection for individuals’ personal data.


Introducing the bill, Senator Leahy referenced the “waves of security breaches” affecting millions of Americans and singled out high-profile (and high volume) data losses by ChoicePoint, LexisNexis, and Acxiom. He also outlined the bill’s five point plan to improve data security.


First off, Leahy wants Americans to be given notice when they have been harmed by a data breach and seeks to address the problems of lax security and lack of accountability. All well and good, and broadly reflecting the Seventh Data Protection principle.


The bill also attacks “Data Brokers”. Leahy’s definition of a data broker is “a business entity which for monetary fees, dues, or on a cooperative non profit basis, regularly engages, in whole or in part, in the practice of collecting, transmitting, or otherwise providing personally identifiable information on a nationwide basis on more than 5,000 individuals who are not the customers or employees of the business entity or affiliate.” So, in direct marketing terms, list compilers but, interestingly, not response list owners. If asked Data Brokers must allow individuals access to their data and the chance to correct inaccuracy. Seemingly similar to the “Subject Access” provisions of the European legislation.


But it’s not just the Data Brokers who would have to protect personal data all companies must vigilantly protect databases (over 10,000 records) and make sure that contractors hired to process data are vetted. 


His penultimate point could cause severe pain for the US direct marketing industry which has, for many years, relied on Social Security Numbers for purposes of unique identification. Leahy wants to prohibit the display and sale of Social Security Numbers without consent. The bill would also prevent companies from requiring individuals to provide their number as a prerequisite for receiving goods and services.


Finally there is a salvo aimed at the government’s use of personal data and seeking audit and security measures for all government contractors.


The bill would provide tough monetary and criminal penalties for those who infiltrate systems to compromise personal data or attempt to cover-up security breaches.


Whether it makes the statute books or not, the Specter-Leahy bill certainly points towards a more regulated future for American direct marketers.

Other recent items: