On February 27, 2015, President Obama released a discussion draft of the Consumer Privacy Bill of Rights Act of 2015 (the "Act"). The Act aims to "establish baseline protections for individual privacy in the commercial arena and to foster timely, flexible implementations of these protections through enforceable codes of conduct." These protections would ultimately be enforced by the Federal Trade Commission ("FTC") or State Attorneys General. Although the Act is unlikely to become law as presently constituted, it demonstrates the Obama Administration's commitment to enacting a nationwide legal framework to regulate personal data in the United States.
Who and what is covered?
The definitions of Personal Data and Covered Entities in the Act are extremely broad. "Covered entity" is defined as a "person that collects, creates, processes, retains, uses, or discloses personal data in or affecting interstate commerce." Although federal and state governments and certain small entities would be exempted from coverage, the Act would apply to nearly every other company or organization conducting business in the United States. The Act defines "Personal Data" as any data that can be linked to a specific individual or device that is not publicly available. Data that is de-identified, deleted, or used to investigate or respond to a cybersecurity threat would be exempted.
Notably, the Act preempts state and local laws to the extent they impose requirements with respect to personal data processing, but it does not preempt states' general consumer protection laws, health or financial information laws, or data breach notification laws. With respect to federal preemption, the Act does not modify, limit or supersede the privacy or security provisions of federal laws, including the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act of 1996.
Proposed privacy protections
The Act would require covered companies to adopt “reasonable” privacy practices, which would be evaluated according to seven key factors:
- Transparency. Covered entities shall provide individuals with concise, conspicuous, and easily understandable notice about the entity’s privacy and security practices. The Act sets forth various content requirements for such notices.
- Individual control. Covered entities must provide consumers with reasonable means to control the processing of their personal data in proportion to the privacy risk to the individual and consistent with context.
- Respect for context. If a covered entity processes personal data in a manner that is not reasonable in light of context, the entity must conduct a privacy risk analysis, take reasonable steps to mitigate any identified privacy risks, and provide notice to customers regarding personal data practices that are not reasonable in light of context. If the privacy risk analysis is supervised by a Privacy Review Board approved by the FTC, the covered entity may be excused from the heightened transparency requirements.
- Focused collection and responsible use. Covered entities may collect, retain and use personal data only in a manner that is reasonable in light of the context. To that end, the Act requires covered entities to delete, destroy or de-identify personal data within a reasonable time after fulfilling the purposes for which the personal data were first collected.
- Security. Covered entities are expected to identify reasonably foreseeable internal and external risks to the privacy and security of personal data, implement reasonable safeguards against unauthorized disclosure, and evaluate the adequacy of their security procedures regularly. Covered entities would have to consider the sensitivity of data, foreseeability of threats, industry practices, and cost of implementing safeguards to determine if their security procedures are reasonable.
- Access and accuracy. Each covered entity must, upon request, provide an individual with reasonable access to, or an accurate representation of, personal data that pertains to the individual and is under the control of the covered entity. The individual must be provided with a means to dispute and resolve the accuracy and completeness of the personal data pertaining to that individual.
- Accountability. Covered entities must take measures appropriate to the privacy risks associated with its personal data practices to ensure compliance with the Act, including training employees, conducting internal or independent evaluations of its privacy and data protections, building appropriate consideration for privacy and data protections into the design of its systems and practices, and binding third parties to use personal data consistently with the covered entities’ commitments.
Future of the Act and similar measures
There is presently no legislative sponsor for the Act in Congress - which is needed for it to move forward - and that is unlikely to happen without substantial revisions. The Act also has been criticized by industry representatives, privacy advocates, and even the FTC (who would be charged with its enforcement).
The similarly titled "Commercial Privacy Bill of Rights Act," however, was introduced recently in both the House and Senate. This measure would preempt individual state laws governing customer and government disclosure obligations in the event of a data breach involving the personal information of US citizens or residents. The future of this bill is equally uncertain.
Notwithstanding these difficulties, the bills demonstrate commitments by both the President and Congress to enact a comprehensive legal framework to regulate personal data use and collection in the United States. Companies doing business in the United States would therefore be well served to understand the proposed requirements and engage in the ongoing legislative dialogue prior to enactment and enforcement of the new measures.