The Obama Administration has unveiled a 50-page blueprint for consumer data privacy, including a recommendation for a federally legislated and FTC-enforced Consumer Privacy Bill of Rights. While it would not alter existing laws, the legislation would extend privacy protections to unregulated sectors and preempt conflicting state law. The Administration's framework also recommends a national standard for security breach notifications.
Consumer Privacy Bill of Rights. The Bill of Rights applies to personal data, defined as any data, including aggregated data, which is linkable to a specific individual. Though not a rigid set of requirements, it establishes individual rights based on seven Fair Information Practice Principles:
Individual Control: Consumer choice mechanisms must be proportionate to the amount and sensitivity of data an entity collects. Consumers have an affirmative right to withdraw or limit their prior consent via methods equally accessible as those by which they initially granted consent.
Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.
Respect for Context: Consumers have a right to expect that data use will be consistent with the context in which they provided the data. Companies should consider the age and technological sophistication of users, particularly children and teenagers. This principle contemplates agreements not to create individual profiles about children regardless of consent.
Security: Consumers have a right to secure and responsible handling of personal data, though companies are given discretion to implement through reasonable means.
Access and Accuracy: Properly-authenticated consumers have a right to access and correct data collected about them.
Focused Collection: Consumers have a right to reasonable limits on data collection and retention.
Accountability: Consumers have a right to data handlers made accountable by mechanisms such as enforceable privacy commitments, internal controls and contract requirements. Companies transferring data remain accountable for using and disclosing the data consistent with the Bill of Rights and thus should hold transferees contractually accountable.
Stakeholder Developed Codes of Conduct. With Congress unlikely to act this year, the report endorses a more immediate multistakeholder process of voluntary industry codes of conduct, to be backed up by FTC enforcement. These codes of conduct would be developed through voluntary open stakeholder discussions convened by the Department of Commerce’s National Telecommunications and Information Administration. In addition to stakeholder input, the codes would take into account globally accepted accountability mechanisms so that they may be recognized across boundaries. As proposed, Federal and state government officials can advise, but the process will ultimately be controlled by private sector stakeholders. Entities can choose to adopt multiple codes to cover different lines of business, but they will only be bound by codes they affirmatively adopt. The Administration further plans to include international stakeholders in this process, in the hope that such "multistakeholder-developed codes of conduct, combined with existing [international] mutual recognition frameworks, hold the promise of greatly simplifying companies' [international] compliance burdens." The Safe Harbor Framework is praised, but its limited reach has made it an imperfect solution to the challenges of transatlantic data transfers.
FTC Enforcement. Like privacy policies, the adopted codes of conduct will be enforceable by the FTC through its authority to prohibit unfair or deceptive acts or practices. The codes can be updated and Congress could prescribe renewal periods for periodic FTC reviews. As an incentive to adopt the codes, it is proposed that the FTC consider a company's adherence to codes favorably in any related enforcement action. In addition, the report recommends congressional authorization for the FTC to review and approve codes and grant companies that commit and adhere to approved codes forbearance from enforcement of provisions of the legislation. Companies that decline to adopt a code or do not seek FTC review would be subject to the general obligations of the Bill of Rights.
The House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade is expected to hold a hearing on the report in March.