The Obama Administration released its “Discussion Draft” of the Privacy Bill of Rights late Friday afternoon, February 27, 2015.
This is a sweeping proposal that would prohibit or severely restrict almost all consumer data collection and use beyond a narrow exemption that allows for collection within the “context” of when and how information was collected.
For example, it proposes to almost completely shut off ALL collection of information about consumers, including just their name. (“In General – each covered entity may only collect, retain, and use personal data in a manner that is reasonable in light of context.”)
It imposes very high and restrictive burdens on efforts to use data beyond such purposes.
Further, it imposes additional requirements and restrictions even on those companies that are subject to and examined for compliance with existing successful data privacy regimes such as FCRA, GLB and HIPAA. For example, the proposal would require all companies that collect personal information provide consumers with an opt-out from data collection and use, and does not exempt consumer reporting agencies from that requirement.
It also goes well beyond even the most restrictive proposals that have been introduced in Congress.
In short, this is not a “starting point” for discussions about possible legislation, but instead appears to represent a broad overview of the Administration’s thinking on consumer collection and data sharing policies.
Ironically, however, it completely exempts government agencies at all levels from this proposal, and does not contain a data breach notification provision, which have been the two areas where consumers have been most interested in seeing legislation enacted.
While this proposal may generate some short-term press discussion, we believe that the chances of something even close to this getting enacted are close to zero:
- Privacy was not an issue that Congress was likely to tackle before the release of this draft, and we do not believe that this will “move the needle” much, if at all.
- Congress likely will continue to focus on data breach notification, and appears highly unlikely to want to tack privacy provisions on to that.
- In 2012, when this proposal was first released by the Administration, no Members of Congress took up the mantle to introduce it, and even the most restrictive privacy proposals that have been introduced do not come close to this.
A Note of Caution:
The one area where this may raise concerns, however, is in how this proposal may influence regulatory activity, and this should be taken very seriously. Specifically, this proposal lays out a very restrictive marker regarding the Administration’s views on commercial data collection and use, and there is a risk that agencies may apply this proposal as guidance from the Administration in terms of how they may approach data collection and use policies. Specifically, we are concerned that agencies that examine and enforce data security, collection and use provisions in other contexts may make these issues a higher priority or subject companies to more scrutiny in these areas.
This should be a wake-up call for companies, who should strongly consider reexamining your privacy and data security practices to ensure that they are consistent with those policies.