Commercial Privacy Bill of Rights Act of 2011

Commercial Privacy Bill of Rights Act of 2011 - Directs the Federal Trade Commission (FTC) to initiate a rulemaking requiring security measures to be carried out by any person (defined in this Act as a "covered entity") collecting, using, transferring, or storing certain personal information (defined in this Act as "covered information") concerning over 5,000 individuals during any consecutive 12-month period who is also: (1) a person whom the FTC is directed to prevent from using unfair methods of competition or deceptive practices in or affecting commerce under specified provisions of the Federal Trade Commission Act; (2) a common carrier subject to the Communications Act of 1934, notwithstanding specified terms and exceptions; or (3) a nonprofit organization, including certain tax-exempt organizations. Requires each such entity to implement a comprehensive information privacy program.

Applies the requirements of this Act to: (1) personally identifiable information; (2) unique identifier information; and (3) any information that is collected, used, or stored in connection with such information in a manner that may reasonably be used to identify a specific individual. Excludes from such measures certain information obtained from public records, shared voluntarily in a forum, reported in the media, or dedicated as workplace contact information.

Requires an FTC rulemaking to require each covered entity to: (1) notify individuals of its information use, storage, transfer, and collection practices, and the purposes of such practices; (2) offer mechanisms for opt-out or opt-in consent, as specified, under various circumstances including for unauthorized information use and use by third parties for behavioral advertising or marketing; (3) provide methods to correct inaccuracies; and (4) permit requests to render information personally unidentifiable or to cease unauthorized or marketing use after the entity's bankruptcy or a termination of service.

Lists the restricted purposes for which collected information must be reasonably necessary. Limits the retention of such information.

Sets forth the contract provisions necessary to use a service provider or to transfer such information to a third party.

Sets forth provisions concerning: (1) enforcement by the FTC and state attorneys general, (2) civil penalties, and (3) safe harbor programs to be administered by nongovernmental organizations. Prohibits any private right of action under this Act.