Following up on his historic visit to the FTC in January during which President Obama laid out his privacy and data security agenda, the administration released a discussion draft of the Consumer Privacy Bill of Rights Act (the “Act”) on February 27, 2015. The Act lays out a number of privacy and security requirements for with which entities subject to the Act would be required to comply. Chief among them are requirements to disclose privacy and data use policies to affected individuals, allow individuals to have greater control over their personal data, and identify and take steps to mitigate data security risks. The Act also provides a basic overview for enforcement mechanisms and establishes some “safe harbors” that would allow otherwise covered entities to avoid liability for violations of the Act under certain limited circumstances. Finally, the Act gives the Federal Trade Commission rulemaking and civil penalty authority to assist in the implementation and enforcement of the Act.
Although the bill was not formally introduced for consideration in Congress, its release has jumpstarted a discussion among industry stakeholders and consumer and privacy advocacy organizations on various legislative approaches to mandating privacy and data security protections for consumers. And while the future of the Act is far from certain, any private entity that engages in personal data processing should be aware of the discussion draft and its potential impact on business practices.
Reactions from the FTC
Several FTC officials have expressed significant reservations about the proposed legislation and its ability to effectively protect consumers. While acknowledging the proposal’s usefulness in moving forward the current international debate over how data protection should be regulated in the U.S., FTC Chairwoman Edith Ramirez also raised concerns about a number of potentially problematic loopholes and a lack of clarity in certain areas, such as the authority of privacy review boards to set industry specific best practices. Commissioner Julie Brill and Bureau of Consumer Protection Director Jessica Rich also have expressed concerns, with Commissioner Brill saying “we need to put the consumer back in the consumer privacy bill of rights.” Director Rich has asserted that the proposal creates exceptions that would allow companies to maintain control over data and limit consumer choice about how their information is used. Officials also are worried about the bill’s potential to restrict the FTC’s enforcement capabilities – this is a hot button for the FTC right now because of the recent decision by the Federal Communications Commission to reclassify broadband as a Title II service in its Open Internet order, which limits FTC jurisdiction over those service providers.
Senators Ed Markey (D-Mass.) and Al Franken (D-Miss) both issued statements opposing the bill on the basis that it does not do enough to protect consumer privacy. Mr. Markey subsequently introduced his own privacy bill (S.668) that he claims will provide more comprehensive consumer privacy protection, particularly with respect to data brokers. On the House side, Reps. Peter Welch (D-Vt.) and Marsha Blackburn (R-Tenn.) on March 12 released draft legislation focused on data breach prevention and notification requirements. The Commerce, Manufacturing & Trade Subcommittee for the House Energy and Commerce Committee held a hearing on March 18 to discuss the draft of the legislation.
Several consumer groups likewise came out against the President’s bill due to concerns that it would not adequately protect consumers due to lack of clarity about what types of information are covered and the range of exemptions for covered entities.
Not surprisingly, many private entities and trade associations also have opposed the legislation because of the potential for enhanced oversight and regulation, which they argue could lead to a chilling effect on consumer product innovation.
What to Expect Going Forward
In light of the initial reactions to the White House proposal, and in the absence of support from the majority in Congress, it is unlikely that the draft proposal will be introduced in the House or Senate without substantial revisions. If introduced, any bill would require strong bipartisan support to move forward, and it is difficult to see how the present draft could come close to achieving this objective. In any event, the release of this draft legislation should serve as a reminder that privacy issues will remain paramount in the Administration’s agenda and the FTC is likely to continue to vigorously enforce existing privacy and data security laws until such time as a new law comes to fruition.