Today the Obama Administration released a draft Consumer Privacy Bill of Rights Act, aimed at establishing baseline protections for individual privacy in the commercial world. If enacted, the bill would preempt state law and bolster the Federal Trade Commission's (FTC) enforcement authority but would not grant a private right of action.
Key provisions of the proposal are as follows:
Privacy Bill of Rights
Transparency: Mandates that covered entities1 (CEs) provide individuals "concise," "easily understandable" and "conspicuous" notice regarding its privacy and security practices. The bill specifically protects against disclosure of trade secret information.
Individual Control: Requires CEs to provide individuals with "reasonable means" to control processing of personal data2 about them proportionate to the associated privacy risk:
- Requires CEs to provide individuals an avenue for withdrawing consent
- Clarifies that CE obligations are limited to practices consistent with the First Amendment
- Mandates advanced notice for material changes to practices affecting collection, use, dissemination, or maintenance of personal data
Context: Requires a privacy risk analysis for personal data processing that is unreasonable in light of context. Establishes a presumption of reasonableness for personal data processing that "fulfills an individual's request."
Collection and Use: Limits collection, retention, and use of personal data to a manner that is reasonable in light of context and requires CEs to delete, destroy, or de-identify personal data within a "reasonable time" after original purpose has been fulfilled.
Security: Requires CEs to identify privacy risks (internal and external), establish and maintain safeguards to secure personal data, regularly assess such safeguards, and adjust safeguards accordingly.
Access: Upon request, CEs must grant individuals reasonable access to, or accurate representation of, personal data pertaining to that individual and within control of CE (with specific limitations related to, e.g., law enforcement or national security protections, privileged information, and frivolous requests). Requires CEs to establish means for individuals to dispute accuracy of information but allows CEs to decline correction or amendment of information.
Accountability: CEs must take measures to ensure compliance with the Act, including employee training, evaluation of privacy protections, and privacy by design into company systems.
Federal Trade Commission
The bill also augments the FTC's enforcement authority over data privacy and security practices:
Unfair or Deceptive Acts/Practices: Violations of the Act will be treated as unfair or deceptive acts or practices in violation of section 5 of the Federal Trade Commission Act.
FTC Authority: Violators are subject to penalties and entitled to privileges/immunities in the Federal Trade Commission Act. Creates an 18 month grace period from enforcement actions after the date the CE first created or processed personal data.
FTC Limitations: FTC cannot require an entity or person to deploy or use specific products or technologies.
State Attorneys General
The bill also outlines enforcement authority for state attorneys general (AG):
Civil Actions: State AG may bring civil action where violation caused or is causing harm to a "substantial number" of its state's residents; however, the only remedy available is injunctive relief (barring intervention from the FTC).
FTC Notice: State AG must provide the FTC a copy of the complaint at least 30 days in advance of filing a civil action, and the FTC has discretion to intervene as a party and assume lead responsibility for the prosecution.
- CE is liable for civil penalties where it violated the Act with "actual knowledge" or "knowledge fairly implied on the basis of objective circumstances."
- Penalty amount should account for the violator's degree of culpability, history or prior similar conduct, ability to pay and to continue business operations, and any other relevant factors as justice may require.
- Penalties increase by the number of days that the CE violated the Act, with a cap set at $35,000
- Where the FTC provides notice of violation to CE, penalties increase by the number of affected consumers, with a $5,000 maximum penalty, unless the CE files an objection (subject to certain criteria) within 45 days.
View the full text of the bill.