The White House has recently released a discussion draft of the Consumer Privacy Bill of Rights of 2015 (“the CPBR”). The CPBR is designed to codify the framework which will impose privacy and data security requirements across sectors and industries in the U.S.
The CPBR would apply to entities that collect, process, create, retain, use, or disclose personal data in or affecting interstate commerce, with several exceptions (e.g. entities that collect personal data of fewer than 10,000 individuals and devices during any 12-month period, or has 5 or fewer employees; etc.).
Pursuant to the Bill, "personal data" is defined broadly, and would generally include data linked to a specific individual or device but not otherwise generally available to the public through lawful means. It is important to note that personal data would also encompass "unique persistent identifiers" and other identifiers or uniquely "descriptive information about personal computing or communication devices."
The proposed Bill will require data collectors to develop data collection codes of conduct that would implement the industry standards regarding safeguarding personal data, and which willadhere to the following principles:
- Transparency – provide consumers with concise, accurate and easily understandable notices about the data collector privacy and security practices, the purposes for which the data collector collects and uses the personal data, when such personal data will be deleted or de-identified, etc.
- Individual Control – data collectors would need to provide consumers with reasonable means to control the processing of personal data about them, and means to withdraw their consent to the processing of personal data.
- Respect for Context – if a data collector processes personal data in a manner that is not reasonable in light of its context, it would need to conduct privacy risk analysis to examine the potential for privacy risk.
- Focused Collection and Responsible Use – data collectors would be permitted to collect, retain and use personal data only as reasonable in light of context.
- Security – data collectors are required to establish, implement and maintain reasonable security safeguards.
- Access and Accuracy – data collectors would generally be required to provide consumers with reasonable access to the personal data about them that the data collector pertains and controls.
- Accountability – data collectors would be required to provide training to employees, adopt privacy by design processes and take other reasonable steps to ensure compliance with the CPBR.
Failure of a data collector, or any other business subjected to the CPBR, to comply with its industry standards would subject it to enforcement by the FTC and the US State Attorney General.