Earlier this week, President Obama gave a speech at the FTC laying out an agenda on privacy and data security issues, and indicating that the topic is important enough to the administration that it will be included in his upcoming State of the Union address. Generally, the initiative’s goals include tackling identity theft, protecting the privacy of student data and working toward a general privacy “bill of rights” to provide comprehensive data and privacy protections.
The most concrete and impactful proposal for businesses is likely the proposed Personal Data Notification & Protection Act. This legislation would clarify and strengthen corporate obligations to notify customers when personal information is exposed. This would include establishing a 30-day notification requirement from discovery of a breach, creating a single national standard. The administration also is promoting greater access to credit scores, an early indicator of identity theft. Numerous companies (including several financial institutions) already have started to provide this information to their customers, reaching nearly half of all Americans.
The President is also releasing a legislative proposal to ensure that student data collected in the educational context is only used for educational purposes. This bill is modeled on a California statute. Potential protections include preventing the sale of student data to third parties for purposes unrelated to education, and prohibiting targeted advertising to students based on data collected in school. Again, numerous companies have signed on to support this initiative, pledging to provide parents, teachers and students with protections against the misuse of their data.
PRIVACY BILL OF RIGHTS
In 2012, the president (through the Department of Commerce) proposed a comprehensive “Consumer Privacy Bill of Rights.” The public comment on draft legislation related to this proposal has been completed, and the president is now calling on Congress to consider the issue.
Of course, President Obama’s advancement of these proposals does not mean that they will be enacted. Commentators seem to agree that a federal law on data breach notification could be passed by this Congress. If so, such a federal notification law may preempt existing state data breach notification laws—which can be helpful to companies that currently have to deal with various state law requirements. More significantly, some commentators have also suggested that any data breach notice law would probably exclude a private right of action and instead leave enforcement to the FTC. The student privacy proposals appear to have the most specific and narrow impact, primarily affecting those in the education field.
The “Privacy Bill of Rights,” however, could have a significant impact on businesses if enacted. Currently, this aspect of the proposal is anticipated to be a more sweeping law akin to European Union privacy laws, which could obviously have far-reaching effects on many businesses. Again, the consensus of commentators appears to be that this is an ambitious law that will face a very difficult road to enactment under this Congress. Omnibus privacy bills have been put forth on multiple occasions since 2000 with little success and, although this bill may meet the same fate, it is worth watching.