Following the poor response to President Barack Obama’s Consumer Privacy Bill of Rights, lawmakers have taken matters into their own hands.
The Commercial Privacy Rights Act of 2015 features general privacy protections as well as specific provisions for children and a section on data breach notification.
In February, the White House released a draft of the President’s proposed Bill of Rights that united privacy advocates, industry representatives, and legislators in general unhappiness. The next week, Sen. Robert Menendez (D-N.J.) produced a counterpart.
The Commercial Privacy Rights Act covers entities within the Federal Trade Commission’s jurisdiction, common carriers under the Communications Act, and 501(c) non-profit organizations that “collect, use, transfer, or store” covered information of more than 5,000 individuals during a consecutive 12-month period.
The Act’s definition of “covered information” is more narrowly defined than the White House proposal, and includes “personally identifiable information” and “unique identifier information,” as well as an individual’s name, e-mail address, physical address, telephone number, Social Security number, and biometric data. Other data—like precise geographic location—is covered when paired with one of the types of personal information.
The bill defines “unauthorized use” as information for any purpose not authorized by the individual and makes such use potentially actionable.
The Federal Trade Commission was granted rulemaking authority to establish recognized security practices (proportional to the size and type of the entity) consistent with industry norms and existing FTC guidance. Covered entities would be responsible for implementing such practices and the bill mandates privacy by design throughout the data life cycle.
As transparency is key under the bill, the FTC is also tasked with establishing rules for the collection, use, transfer, and storage of covered information. If a covered entity makes material changes to any relevant information policies, it would be required to provide prior notice. The measure incorporates the principle of data minimization and limits retention of information to the necessary time period.
Consumers would be granted the right to access their covered information and a procedure for correcting any errors.
Importantly, the bill provides two means of safe harbor for businesses: compliance with industry-specific self-regulatory programs and an exemption for covered entities to the extent they are subject to data security and privacy provisions of specifically enumerated federal laws, including the Children’s Online Privacy Protection Act, the Fair Debt Collection Practices Act, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and the Fair Credit Reporting Act, among others.
Enforcement would be led by the FTC pursuant to Section 5 of the Federal Trade Commission Act, with supplementary enforcement by state attorneys general. No private right of action was provided in the bill. Civil damages would be available for up to $33,000 per day or per individual with a maximum of a $6 million penalty.
The bill also features the return of the Do Not Track Kids Act and a data breach notification provision.
COPPA would be tweaked to apply the Commercial Privacy Rights Act’s regulations on the collection of information to children, the definition of “operator” would be updated to include online and mobile applications, an “erase” mechanism would be provided for underage users, and the sharing of information about a minor with third parties for targeted marketing purposes absent verifiable parental consent would be prohibited.
The data breach notification provision sets forth the circumstances under which a covered entity must provide notice to consumers, the FTC, third parties, service providers, and credit reporting agencies. Exemptions exist if the company concludes “there is no reasonable risk of identity theft, fraud, or other unlawful conduct.”
To read the Commercial Privacy Rights Act of 2015, click here.
Why it matters: Privacy and data security remains a hot topic for both the President and Congress. With so many proposals floating around the Capitol (a few days after the Commercial Privacy Rights Act was introduced, another data breach notification bill was presented by lawmakers), the likelihood of actually passing legislation remains unclear.