On Friday, Feb. 27, the Obama administration unveiled a proposed Consumer Privacy Bill of Rights that would require businesses to be more transparent in privacy practices, and provide individuals certain rights aimed at helping individuals understand how businesses collect, use, and share personal information.
Unlike the EU and other regions, the U.S. has sectoral privacy laws, arguably leaving significant gaps in the regulation of how businesses collect, use, and disclose personal information and rights afforded to individuals. This proposal, if introduced and passed by Congress, would provide a baseline privacy law within the U.S. The proposal provides for industry-created codes of conduct – just one provision that has already drawn sharp criticism from consumer advocates.
In this first post, as part of a DWT series analyzing the proposed legislation, we look at the proposed definition of personal data, de-identification provisions, and retention requirements.
Under the President’s proposal, “personal data” would include data that is not publicly available and linked or linkable to a specific individual or to a device associated with or routinely used by a specific individual. The proposed definition excludes: de-identified data, deleted data, certain employee information (e.g., title and business contact information), and cybersecurity data.
The broad definition of personal data will have far reaching impacts, if passed by Congress. Information that covered entities may not view as personal data such as persistent identifiers and telephone recordings that do not specifically include information identifying a specific individual (but include biometric identifiers), would likely be considered “personal data.” In addition to reexamining collection, use, and disclosure practices, covered entities may need to survey existing information systems and paper records to identify personal data already collected (particularly to comply with the retention requirements discussed below). We commend the exclusion of cybersecurity data, which may aid efforts to increase information sharing related cybersecurity attacks.
De-identified data, under this proposal, must be altered so that there is no reasonable basis to expect that the data could be linked to a specific individual or device. Unlike other sectoral laws, such as HIPAA, this proposal does not provide a “safe harbor” of removal of certain identifiers. Covered entities would likely have to rely on a statistical determination of the likelihood of re-identification, a process that may prove impractical for small organizations.
Additionally, any covered entity that wishes to collect, use, or disclose de-identified data must:
- Publicly commit to refraining from re-identifying the data and must implement controls to prevent re-identification;
- Enter into contractual agreements with any entities to which the covered entity discloses de-identified data, prohibiting the entity from re-identifying the data and requiring the entity to enter into contractual agreements containing the same prohibition for any further disclosures of the de-identified data; and
- Any such entity that receives the de-identified data must publicly commit to not re-identify that data
This expands significantly on other U.S. privacy laws, which do not require further contracts or restrictions once information is de-identified. While requiring businesses to publicly commit to not re-identify de-identified data may provide a clearer path to an alleged violation of section 5 of the FTC Act where the entity does re-identify the data, we question how meaningful a flood of these “commitments” will be to consumers.
The president’s proposal limits retention of personal data to that which is reasonable in the context and requires covered entities to delete, destroy, or de-identify personal data within a reasonable time after it is no longer needed for the purpose(s) for which it was collected.
This could limit covered entities’ ability to retain data for purposes other than the purpose(s) of the original collection, even if the personal data is used or disclosed only in a reasonable manner and consistent with notice to individuals.