The Obama administration’s recently released white paper outlines a consumer data privacy framework that would supplement existing laws and, as one of its four key elements, give the Federal Trade Commission a strengthened enforcement role.
The framework represents the administration’s proposal for providing additional consumer data privacy protections that it believes are necessary to preserve consumer trust “in the technologies and companies that drive the digital economy.” According to the white paper, the administration intends to implement the framework “without delay.”
The framework has four key elements:
A Consumer Privacy Bill of Rights
The administration has developed a “Consumer Privacy Bill of Rights” (CPBR) that, in the administration’s view, “provides a baseline of clear protection for consumers and greater certainty for companies.” The CPBR, which is similar to the privacy principles recognized by the European Union, would give consumers a right to: (1) individual control over personal data collected and its use, (2) transparency as to a company’s privacy and security practices, (3) respect for the context in which the consumer provides personal data (meaning that such data is collected, used and disclosed in ways that are consistent with such context), (4) security in the handling of personal data, (5) consumer access to data maintained on them and the ability to ensure the accuracy of such data, (6) focused collection (meaning reasonable limits on the data collected), and (7) accountability of a company and its employees for how personal data is handled.
Market and Industry Codes of Conduct
The administration seeks a “multistakeholder process” to develop codes of conduct that implement the general principles contained in the CPBR. The stakeholders would include individual companies, industry groups, privacy advocates, consumer groups, state attorneys general, and federal civil and state law enforcement officers. The stakeholders would be charged with identifying markets and industry sectors that involve significant consumer data privacy issues and may be appropriate for an enforceable code of conduct. If a company chooses to adopt a code of conduct for its market or industry (and possibly multiple codes for different business lines), the administration expects it could enforce the company’s public commitment to adhere to the code of conduct under Section 5 of the FTC Act.
The FTC would be charged with enforcing the commitments of companies under the FTC’s jurisdiction to adhere to one or more codes of conduct. According to the administration, “in any investigation or enforcement related to the subject matter of one or more codes, the FTC should consider the company’s adherence to the codes favorably.”
To address the challenge created by differences in national privacy laws for companies that transfer personal data across national borders, the United States would engage with other countries “to increase interoperability in privacy laws” through mutual recognition and enforcement cooperation.
In the white paper, the administration also outlines its desired approach to new privacy legislation. That approach includes the passage of legislation codifying the CPBR and granting enforcement authority to the FTC and state attorneys general. The administration believes such legislation should also (1) give the FTC authority to review and approve codes of conduct adopted by companies and determine if the codes sufficiently implement the CPBR, (2) grant companies who follow an FTC-approved code of conduct a safeharbor from enforcement of the statutory CPBR, and (3) preempt state laws that are inconsistent with the statutory CPBR.
The administration’s intent is to avoid creating duplicative regulatory burdens, so that financial institutions subject to the Gramm-Leach-Bliley Act and its implementing regulations and guidelines would largely be exempt from the new regime. In addition, the administration’s plan does not expressly envision a role for the Consumer Financial Protection Bureau (which has authority to enforce provisions of the GLBA.) Nevertheless, the administration’s actions in the privacy arena are likely to influence the CFPB’s approach to data privacy and security. In addition, the administration states its support for a national standard for security breach notifications that would preempt state notification laws and that purportedly would apply to all financial institutions.