On Friday, February 27, 2015, the White House released a revised version of its 2012 proposal for a consumer privacy bill of rights. The revised legislative proposal largely tracks with the 2012 proposal in that it focuses on seven core principles for the collection, use and security of consumers’ personal data:
- Transparency: Covered entities would be required to provide clear and concise notices about their privacy and security practices.
- Individual Control: Covered entities would be required to allow consumers to exercise control over what data is collected about them and how it is used.
- Respect for Context: Would require that covered entities collect and use data in ways that are consistent with the context in which consumers provide such data. Would require internal reviews of privacy and security practices for data collected outside of such contexts.
- Focused Collection and Responsible Use: Would require covered entities to only collect, retain and use data that is reasonable in light of context. Would require deletion or de-identification of data within a reasonable time period after use.
- Security: Covered entities would be required to identify reasonable risks and implement safeguards designed to protect against breach, theft, loss, etc. of personal data.
- Access and Accuracy: Covered entities would be required to grant individuals access to, or an accurate representation of, data collected about them upon request. The consumer would have the right to correct or amend the data.
- Accountability: Covered entities would be required to take steps appropriate to the privacy risks associated with their data collection activities, including employee training, conducting periodic internal risk assessments, and constructing appropriate security systems and procedures.
The proposal would grant the FTC, as well as state attorneys general, enforcement authority, and includes civil penalties for violations. It would also preempt any state laws governing consumer data, except for those pertaining to health information, financial information, data on minors and K-12 students, fraud and consumer safety, and state data breach notification laws. It would provide a qualified exemption for entities subject to specified federal privacy and data security laws, such as the Gramm-Leach-Bliley Act (GLB) and the Health Insurance Portability and Accountability Act (HIPAA).
Covered entities are defined under the proposal as any “person that collects, creates, processes, retains, uses, or discloses personal data in or affecting interstate commerce” but would not include federal, state or local government agencies, tribal governments or entities that collect personal data of less than 10,000 persons over a 12-month period. The definition also excludes entities that collect personal data for the purposes of security research, provided such entities take reasonable steps to mitigate privacy risks and destroy or de-identify such data after research activities are concluded.
Finally, the proposal establishes a mechanism whereby a covered entity may apply to the FTC for approval of private “codes of conduct” governing the processing of personal data by the covered entity. If the FTC determines that the private code of conduct provides equal or greater protections than the relevant requirements described above, such codes may serve as a safe harbor defense before any suit brought against the covered entity for alleged violations of the Act.
It is unclear at this time whether a bill with the same or substantially the same language will be introduced in Congress, or if this will serve as a discussion draft to assist in the crafting of legislation as Congress moves forward.