The White House released its much anticipated legislative proposal on the Consumer Privacy Bill of Rights Act (CPBRA) that was first floated in 2012. The CPBRA, if enacted (which seems unlikely before 2016), would provide consumers with the right to decide how and what personal data is collected by companies and how companies use that data. Personal data is defined in far broader terms than we have seen in previous privacy legislation to include address, phone number, or persistent identifier, in addition to actual personal identifiable information such as a social security number. Covered entities include any person that collects, processes, or retains personal data of more than 10,000 individuals. The principles of the CPBRA are: transparency; individual control over data; respect for context in processing data; focused collection and responsible use; security; access and accuracy; and accountability.
The legislative proposal would provide the FTC with Administrative Procedure Act (APA) Rulemaking Authority to establish the minimum requirements for codes of conduct under which covered entities can qualify for a safe harbor. The FTC is not provided with APA rulemaking over other sections of the proposal. The proposal would also provide the FTC and state attorneys general enforcement authority over violations, but preclude private rights of action. There is a carve out for entities that are covered by comparable provisions of another Federal privacy law including the Gramm-Leach-Bliley Act, the Communications Act of 1934, and the Health Insurance Portability and Accountability Act.
Given the breadth of this proposal and the almost immediate negative reactions from industry, some privacy hawks on Capitol Hill, the FTC (although Commissioners have applauded the CPBRA as a start), and consumer and civil liberties groups, the proposal seems unlikely to move forward in Congress. However, it may be used to inform future agency enforcement actions and guidance.