On February 27, 2015, President Obama unveiled the Consumer Privacy Bill of Rights Act of 2015, a draft bill intended to govern the collection and dissemination of consumer data. The Privacy Bill of Rights is a revival of draft legislation the White House first introduced in 2012. It is being re-introduced as a companion to the Data Security and Breach Notification Act of 2015, which would require organizations to disclose data breaches in a timely manner to mitigate risk of identity theft.
The White House says the proposed bill is intended to start talks with Congress, consumers, and industry leaders with the end-goal of passing federal privacy legislation. "The draft seeks to provide customers with more control over their data, companies with clearer ways to signal their responsible stewardship over data, and everyone with the flexibility to continue innovating in the digital age," a spokesperson for the White House said.
The bill has been lauded by some as a step toward improving public perception and trust of big data aggregators: "The proposed Consumer Privacy Bill of Rights holds the potential to help not only consumers, but businesses as well," said Sarah Cortes of Northeastern University in Boston. "In today's global marketplace, consumers outside the U.S. form a huge and growing market. Establishing that U.S. enterprises must meet a high regulatory standard in consumer privacy provides a competitive advantage for U.S. companies."
Critics say the bill will do little to deter privacy violations because of relatively weak enforcement provisions. Most notably, fines for violations are calculated not by the number of affected individuals, but by the number of days during which a violation occurs. Thus, if a company were to sell millions of personal records in one day in violation of the proposed law, it would face a maximum fine of $35,000, and new companies are exempt from any penalties for the first 18 months of their existence.
The bill would also allow businesses to draft their own codes of conduct and "privacy review boards," if they wish, for the protection of consumer data, which the Federal Trade Commission would then review and approve or deny as being in compliance with the proposed law. Critics say this places too much discretion in the hands of companies concerning the protections consumers would receive and loopholes companies could provide themselves. "Instead of codes of conduct developed by industries that have historically been opposed to strong privacy measures, we need uniform and legally enforceable rules that companies must abide by and consumers can rely on," said Senator Edward J. Market of Massachusetts. Moreover, the bill allows only 90 days for the FTC to review the proposed code of conduct, which some say is insufficient for what could be hundreds of proposed codes developed by businesses at any given time.
The proposed legislation would preempt most state privacy and data security laws, with such exceptions as privacy tort laws, state data breach notification laws, and privacy laws affecting minors. Privacy advocacy groups worry the law would preempt strong state laws "without creating new protections that are clearly better."
The bill has a long way to go before it would become law, but it is a first step to establishing a national privacy law that sets the standard for protection of consumer data by U.S. businesses.