Search Penny Hill Press

Monday, April 25, 2011

Online Data Collection and Disclosure to Private Entities: Selected Federal Laws and Self-Regulatory Regimes

Kathleen Ann Ruane
Legislative Attorney

In recent years, there has been an increase in concern over the amount of data that companies, both online and offline, gather about individuals and the private entities to which such data is disclosed. Companies generally use this information for marketing purposes. However, consumers often may be unaware when their data is being collected, particularly in our current era where each click of a mouse on a website may be recorded by a marketing or data gathering firm. Some of the data gathered may be highly sensitive information like Social Security numbers or bank account numbers. Furthermore, this data may be merged with data collected offline, or shared with third parties. These risks have been the subject of congressional and regulatory scrutiny. The 112th Congress and federal agencies will likely continue to examine these issues and debate legislative and regulatory solutions.

The first major issue presented by this debate is whether data gathering and disclosure practices violate current law. Privacy laws in the United States are generally industry specific. Certain laws govern the collection and disclosure of financial data. Other laws govern the collection and disclosure of health-related data. A large amount of data collected about consumers, however, does not fall into the categories of data that are covered by these industry-specific laws. Thus, the primary federal mechanism for enforcing privacy protections, where the data at issue are not covered by more specific statutory protection, is Section 5 of the Federal Trade Commission Act. Section 5 prohibits unfair and deceptive trade practices. The Federal Trade Commission (FTC) has successfully used this prohibition to hold companies liable for breaches of the privacy policies that they have developed.

There is also argument as to whether the Electronic Communications Privacy Act (both Title I, known as the Wiretap Act, and Title II, known as the Stored Communications Act) and the Communications Act of 1934, apply to online entities that are collecting data through click tracking, capturing search terms, providing web-based e-mail services and other methods. It is likely that in some cases these laws could be held to apply to such activities and that, in some cases, these methods of data collection could be forbidden unless consent is obtained from one of the parties to the communication or some other exception applies. This report will examine the application of these statutes in more detail.

The second major issue presented by this debate is whether new legislation or regulations are needed to govern consumer privacy. There are no current federal regulations specific to online advertising and data gathering. The FTC and the Department of Commerce recently published reports proposing frameworks for privacy in this rapidly developing market place. The proposed frameworks, in the agencies’ views, could be a combination of both government and selfregulation. This report briefly will discuss these proposals.

Private organizations such as the Network Advertising Initiative, Interactive Advertising Bureau, and Privacy Group Coalition have created policies, which many online entities have pledged to follow, that represent industry best practices for protecting the privacy of web users. Some of their self-regulatory regimes are discussed as well. For more information about the online advertising industry, see CRS Report R40908, Advertising Industry in the Digital Age, by Suzanne M. Kirchhoff.

Date of Report: April 1, 2011
Number of Pages: 23
Order Number: RL34693
Price: $29.95

Follow us on TWITTER at or #CRSreports

Document available via e-mail as a pdf file or in paper form.
To order, e-mail
Penny Hill Press  or call us at 301-253-0881. Provide a Visa, MasterCard, American Express, or Discover card number, expiration date, and name on the card. Indicate whether you want e-mail or postal delivery. Phone orders are preferred and receive priority processing.