On Monday, January 12, President Obama gave a speech at the Federal Trade Commission in which he announced a multi-faceted legislative agenda aimed at creating a uniform national breach notification requirement, establishing national standards for consumer privacy, and expanding protections for educational data. While the President’s speech and the accompanying fact sheet outlined a broad privacy agenda, both were short on detail, leaving the public – and Congress – to speculate about the specifics of the President’s plan.
Personal Data Notification and Protection Act
So far, the Personal Data Notification and Protection Act has garnered the most media attention. As described by the President, the proposed legislation would create a uniform federal requirement to notify consumers within 30 days of a data breach. While businesses may ultimately prefer adhering to a single national rule instead of navigating the labyrinth of 47 state breach notice laws, it may be too soon to take a position on the President’s proposal. Specifically, the White House has proposed little more than the bill’s name and that it would establish a 30-day window to provide breach notices to consumers. More critically, the Administration has yet to hint at other key aspects of the proposed law, such as the trigger for starting the 30-day clock and how to allocate notice obligations among different parties implicated by a single breach.
Consumer Privacy Bill of Rights Legislation
The President also announced that, in the next 45 days, he plans to resurrect a revised version of his 2012 Consumer Privacy Bill of Rights legislation. In describing the updated proposal, the President stated:
[W]e believe that consumers have the right to decide what personal data companies collect from them and how companies use that data, that information; the right to know that your personal information collected for one purpose can’t then be misused by a company for a different purpose; the right to have your information stored securely by companies that are accountable for its use.
To anyone familiar with privacy and data security policy issues, the President’s description seems more of a restatement of the well-trod concept of providing notice to, and obtaining consent from, consumers before collecting or using personal information. Yet, this apparent reaffirmation of the status quo seems at odds with the White House’s May 2014 report, Big Data: Seizing Opportunities, Preserving Values (the Big Data Report), which suggested that, in an era of big data, the existing notice and consent framework as a mechanism to control the collection and retention of personal data “may no longer be sufficient to protect personal privacy.” Companies should stay tuned to see how the Administration reconciles this tension.
Student Digital Privacy Act
Although the Family Educational Rights and Privacy Act (FERPA) already provides students with significant protection of their educational records, FERPA was drafted before the Internet became a ubiquitous presence in the classroom. Thus, as part of his preview of his legislative agenda, the President has proposed a new piece of legislation – the Student Digital Privacy Act – aimed at ensuring that data collected in the classroom is used only for educational purposes and is not sold to third parties for commercial uses. Modeled on a similar California law, the Student Digital Privacy Act will implement the Big Data Report’s recommendation to modernize FERPA. Once again, however, the Administration offered little guidance about the contents of the proposed legislation.
Following a year that was marked by several record-breaking breaches and hacks, few should be surprised at the inclusion of data privacy issues in the Administration’s legislative agenda. With so few concrete proposals on the table, it remains to be seen how – or whether – Congress will respond to the President’s legislative proposals. But businesses should still expect privacy and data security issues to be significant topics for debates among policymakers in 2015.