On February 27, 2015, the White House released a discussion draft of its proposed Consumer Privacy Bill of Rights Act of 2015, which seeks to protect the privacy and security of individual consumers’ personal data. The proposed bill has a broad reach across industries by imposing requirements on all entities that collect, create, process, retain, use or disclose personal data in interstate commerce, with a few exceptions. The bill would empower the Federal Trade Commission (“FTC”) and state attorneys general to enforce these proposed requirements, but does not create a private right of action.
The proposed act obligates covered entities to take proactive measures to protect the personal data and privacy of consumers. It requires entities to notify consumers about their privacy and security practices, such as information related to the type, source and purpose of collected personal data; provide consumers the means to control the processing of their data and withdraw their consent to such processing; permit consumers access to their data upon request; destroy or de-identify personal data within a reasonable period of time; and assess internal and external risks to the security of personal data and implement reasonable security measures as safeguards to control those risks. The reasonableness of security measures would depend on the degree of privacy at risk, the foreseeability of threats, the degree of acceptance of the measures and the cost to implement.
The bill only requires entities to implement these measures in a manner that is reasonable in light of the “privacy risks,” defined to mean those risks that cause emotional distress or physical, financial or professional harm to the consumer.
The bill contains certain notable limits. For instance, some of the requirements contain a “customary business records” exception for personal data collected in the ordinary course of business. Also, some of the bill’s requirements would be limited to what is reasonable “in light of context.” The bill provides a flexible definition of “context” based on a number of factors, including the nature and frequency of interactions between the entity and consumers, the types of data foreseeably needed for the entity to provide a good or service and the age and sophistication of the consumers.
The bill empowers the FTC to treat violations as an unfair or deceptive act or practice, and the Commission could seek injunctive relief or a civil penalty up to $25 million. State attorneys general acting without the FTC could only seek injunctive relief. While the act proposes preemption of state laws concerning personal data processing, this provision excludes certain state laws—particularly state consumer protection laws and data breach notification laws—under which an entity still could face potentially large liability.
The bill proposes some limits in enforcement. It creates safe harbor protection by giving an entity a complete defense to any action if the entity complied with an industry code of conduct previously approved by the FTC and the code of conduct covers the practices that underlie the action. The bill also permits an eighteen month grace period from the date the entity first created or processed the data before the FTC could bring an enforcement action seeking civil penalties against an entity.
The draft Consumer Privacy Bill of Rights Act has drawn criticism from both privacy advocates and segments of the business community, and it seems unlikely that Congress could pass the bill in its current form. Nevertheless, the bill demonstrates the growing pressure on all companies that handle personal data to protect the privacy and security of that data, including increased efforts to place a greater burden on companies to prepare for foreseeable risks. The bill also demonstrates that industries are being encouraged to standardize practices related to the privacy and security of consumer data, despite the concern that industry codes could stifle innovation.
For a copy of the Draft Consumer Privacy Bill of Rights Act of 2015, please click here.