The White House released a discussion draft of President Barack Obama’s Consumer Privacy Bill of Rights to tepid reviews.
As promised by the President, the bill is intended to provide baseline privacy protections for consumers in the commercial context.
The measure would have broad application to all entities that collect, use, or otherwise process personal data, defined as any data that is linked or linkable to a specific individual or a device associated with or routinely used by an individual (“unique persistent identifiers” are specifically included). Covered entities would be required to provide consumers with concise and easy-to-understand notice about privacy and security practices, as well as “reasonable means to control the processing of personal data about them in proportion to the privacy risk to the individual and consistent with context.”
While some exemptions exist—for companies that have five or fewer employees, for example, or entities that process the personal data of fewer than 10,000 individuals and devices per year—the bill does not except companies that are already subject to privacy or data security laws, such as those in the healthcare and financial services industries.
The bill would require companies that process personal data “in a manner that is not reasonable in light of context” to conduct a privacy risk analysis and mitigate any identified privacy risks by taking responsible steps that include risks, at a minimum, providing in-context notice about the “unreasonable” personal data practices as well as “a mechanism for control that is reasonably designed to permit individuals to exercise choice to reduce such privacy risk.”
In addition, companies would be required to delete or de-identify personal data within a reasonable time after the purposes for which the personal data were first collected are fulfilled and to establish information security controls in line with accepted practices.
Enforcement powers are granted to the Federal Trade Commission (with the potential for up to $25 million in civil penalties under certain circumstances), but the agency was not granted rule making authority. Instead, industries would develop their own codes of conduct enforced by the agency. Covered entities that comply with the code would be provided with a safe harbor.
No private right of action would be created, but the bill would not preempt the power of state attorneys general to enforce their own consumer protection laws.
The proposal managed to unite those on both sides of the privacy debate in general unhappiness.
The Association of National Advertisers called it “a major step in the wrong direction,” while Interactive Advertising Bureau general counsel Mike Zaneis wrote a column for The Hill expressing concern that “[p]ursuing a privacy bill in an attempt to prevent theoretical harms is sure to put a deep chill on the creators, designers, and innovators the president called ‘the Pioneers of this Information Age.’”
Consumer groups such as the Center for Democracy and Technology, Electronic Frontier Foundation, and Consumer Watchdog said the law doesn’t go far enough. “Unfortunately, the President’s bill falls short on the privacy protection needed in today’s digital world: it just has too many loopholes and doesn’t provide for meaningful enforcement,” CDT’s director of consumer privacy Justin Brookman said in a statement.
Lawmakers similarly expressed disappointment and responded with their own version of the proposal: the Commercial Privacy Rights Act of 2015. The bill, which also features the return of the Do Not Track Kids Act and a data breach notification provision, applies to entities under the FTC’s supervision, 501(c) nonprofits, and common carriers under the Communications Act, but with a slightly narrower definition of covered information.
Importantly, the Act not only features a safe harbor for self-regulatory programs, but also exempts entities to the extent they are subject to provisions of enumerated federal laws such as the Gramm-Leach-Bliley Act, the Fair Debt Collection Practices Act, the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act, and the Health Insurance Portability and Accountability Act, among others.
To read the proposed Consumer Privacy Bill of Rights Act of 2015, click here.
To read the ANA’s statement on the draft, click here.
To read the Commercial Privacy Rights Act of 2015, click here.
Why it matters: The release of the discussion draft furthers the President’s agenda on cybersecurity and privacy-related issues, but the unenthusiastic response from industry and consumer groups and the introduction of a congressional version do not bode well for the bill’s success. Even the FTC seemed worried: “We are pleased that the Administration has made consumer privacy a priority, and this legislative proposal provides a good starting point for further discussion,” an agency spokesperson said in a statement. “However, we have concerns that the draft bill does not provide consumers with the strong and enforceable protections needed to safeguard their privacy. We look forward to working with Congress and the Administration to strengthen the proposal.”