President Obama continued his push for privacy legislation by recently unveiling a draft Consumer Privacy Bill of Rights Act (“Draft Bill”). To move forward, the Draft Bill must be sponsored by a member of Congress and is very likely to undergo substantial revisions both before that happens and after. According to press reports, the proposal has already drawn criticism from lawmakers, the Federal Trade Commission (FTC), industry associations and consumer advocates. Nonetheless, the Draft Bill provides insight into what the administration is thinking. The proposal would require covered entities to comply with so-called fair information practice principles (FIPPs) and impose civil penalties in the event of noncompliance, but it would also provide a safe harbor for those that adhere to codes of conduct approved by the FTC.
The Draft Bill defines personal data broadly, with a few exceptions, as any nonpublic data under the control of a covered entity that is linked or linkable not only to an individual, but even to his or her device. It would establish FIPPs- based obligations for a covered entity that collects, creates, processes, retains, uses or discloses personal data. These include requirements to:
- Provide individuals with notice about its privacy and security practices;
- Provide individuals with control over the processing of their personal data;
- Conduct a privacy risk analysis in connection with certain practices that are “not reasonable in light of context” and, in some cases, provide heightened notice and choice with respect to them;
- Collect, retain and use personal data in a manner that is reasonable in light of context;
- Meet certain data security requirements;
- Provide individuals with the opportunity to access, correct or delete their personal data and establish procedures to ensure that personal data is accurate; and
- Establish procedures to ensure compliance, such as through employee training, evaluations, privacy by design, and contractual restrictions.
Importantly, the Draft Bill would create a safe harbor from enforcement for those that adhere to FTC-approved codes of conduct.
The Draft Bill would preempt state laws that impose requirements on the processing of personal data, which could include, for example, provisions in California’s Online Privacy Protection Act and Shine the Light law. The Draft Bill would not, however, affect other federal privacy and security laws, preempt general state consumer protection laws, or preempt certain other state or local laws, such as those addressing the processing of health or financial information, data breach notification requirements, or the privacy of minors or K-12 students.
If the Draft Bill were to become law as currently drafted, the FTC would have the authority to enforce it under Section 5 of the FTC Act, as well as to impose civil penalties of up to $25 million in the event of a violation with actual or implied knowledge. State Attorneys General could seek injunctive relief, but there would be no private right of action.