The White House released a discussion draft of the Consumer Privacy Bill of Rights Act of 2015. The Act is intended to establish baseline privacy protections for individuals in industries which are not currently regulated at the federal level, and to provide a process for the development and implementation of multiple codes of conduct which would be enforced by self-regulatory programs approved by the FTC.
The Act does not contain a private right of action; however, enforcement actions brought by the FTC could result in civil penalties up to $25,000,000. In enforcement actions brought by state Attorneys General, the remedy is limited to injunctive relief. There is a safe harbor from prosecution for an entity that demonstrates adherence to and compliance with an FTC-approved code of conduct.
The Act would preempt some state and local privacy laws but would not preempt state and local laws that address the processing of health and financial data, security breach notification laws, and laws that address the privacy of minors or K-12 students.
The Act would apply to entities within the FTC's jurisdiction pursuant to section 5(a)(2) of the FTC Act and non-profit entities.
Baseline Privacy Protections: Notice, Control, Access, Accountability and Security
The Act would require each "covered entity" to provide a concise and easy-to-understand notice of its privacy and security practices including a description of:
- The personal data the covered entity processes, including the sources of data collection if the collection is not directly from the individual;
- The purposes for which the covered entity collects, uses, and retains such personal data;
- The persons, or categories of persons, to which the covered entity discloses such personal data and the purposes for which the data is disclosed;
- When such personal data will be destroyed, deleted, or de-identified. If the covered entity will not destroy, delete, or de-identify personal data, it shall specify this in the notice;
- The mechanisms to grant individuals a meaningful opportunity to access their personal data and grant, refuse, or revoke consent for the processing of personal data;
- Whom individuals may contact with inquiries or complaints concerning the covered entity's personal data processing; and
- The measures taken to secure personal data.
A "covered entity" is defined broadly as "a person that collects, creates, processes, retains, uses, or discloses personal data in or affecting interstate commerce." The term does not include government agencies or government employees or contractors, or entities that process data from fewer than 10,000 individuals in a 12-month period or have five or fewer employees. A covered entity does not include any person who "does not knowingly collect, use, retain, or disclose any information that is linked with personal data and includes, or relates directly to, that individual's medical history; national origin; sexual orientation; gender identity; religious beliefs or affiliation; income, assets, or liabilities; precise geolocation information; unique biometric data; or Social Security number."
"Personal data" is also broadly defined as "any data that are under the control of a covered entity, not otherwise generally available to the public through lawful means, and are linked, or as a practical matter linkable by the covered entity, to a specific individual, or linked to a device that is associated with or routinely used by an individual." Personal data includes "any unique persistent identifier, including a number or alphanumeric string that uniquely identifies a networked device . . . [and] unique identifiers or other uniquely assigned or descriptive information about personal computing or communication devices."
The Act would require each covered entity to provide individuals with reasonable means to control the processing of personal data about them "in proportion to the privacy risk to the individual and consistent with context."
"Context" is defined as "the circumstances surrounding a covered entity's processing of personal data," including but not limited to:
- The extent and frequency of direct interactions between individuals and the covered entity, if any;
- The level of understanding that reasonable users of the covered entity's goods or services would have of how the covered entity processes the personal data that it collects, including through any notice provided by the covered entity;
- Information known by the covered entity about the privacy preferences of individual users of its goods or services;
- The types of personal data foreseeably processed in order to provide a good or service that an individual requests from the covered entity; and
- The age and sophistication of individuals who use the covered entity's goods or services.
If a covered entity processes personal data in a manner that is not reasonable in light of context, it must conduct a privacy risk analysis, take steps to mitigate identified risks, and provide "heightened transparency and individual control."
Access and Accountability
Covered entities would be required to provide individuals with access to their data upon request; to ensure that personal data under the entity's control is accurate; and to allow individuals to dispute the accuracy of such data.
The Act would require covered entities to identify privacy risks, establish safeguards, regularly assess the sufficiency of such safeguards, and make adjustments when necessary.
Codes of Conduct
Title III of the Act addresses the creation of multiple codes of conduct and self-regulatory programs that would enforce such codes. Codes of conduct would be developed by individuals or organizations, as well as by interested stakeholders convened by the Department of State. Participants in both processes would submit an application to the FTC detailing the requirements and scope of the code of conduct.
To establish a self-regulatory compliance program, any person may apply for certification from the FTC to administer and enforce one or more codes of conduct that have been approved by the FTC.
In any suit or action brought under the Act, the defendant will have a complete defense if it demonstrates that it has maintained a public commitment to adhere to an FTC-approved code of conduct that covers the practices at issue in the suit or action and is in compliance with such code of conduct.