Obama’s Privacy Bill of Rights Discussion Draft Gets Chilly Reception

White House Releases Draft of Consumer Privacy Bill of Rights Act

Last week the White House released a draft “Consumer Privacy Bill of Rights Act of 2015” as we indicated was coming in our prior post: Obama Revives Privacy Debate in FTC Speech

The bill’s elements are not substantially different from the White House’s prior outline, but its reliance on industry codes of conduct and preemption of state law has resulted in a backlash even among Obama’s FTC.

Key Provisions

Principal Element – Concise and Easily Understandable Disclosures

(a) In General. Each covered entity shall provide individuals in concise and easily understandable language, accurate, clear, timely, and conspicuous notice about the covered entity’s  privacy and security practices. Such notice shall be reasonable in light of context. Covered entities shall provide convenient and reasonable access to such notice, and any updates or modifications to such notice, to individuals about whom it processes personal data.
(b) Contents of Notice. The notice required by subsection (a) shall include but is not limited to 
(1) The personal data the covered entity processes, including the sources of data collection if the collection is not directly from the individual;  
(2) The purposes for which the covered entity collects, uses, and retains suchpersonal data;
(3) The persons, or categories of persons, to which, and purposes for which, thecovered entity discloses such personal data;
(4) When such personal data will be destroyed, deleted, or de-identified. If thecovered entity will not destroy, delete, or de-identify personal data, it shallspecify this in the notice;
(5) The mechanisms to grant individuals a meaningful opportunity to access theirpersonal data and grant, refuse, or revoke consent for the processing of personaldata;
(6) Whom individuals may contact with inquiries or complaints concerning the covered entity’s personal data processing; and
 (7) The measures taken to secure personal data.

Additional Elements:

  • Consumer Control
    Covered entities would be required to allow consumers to exercise control over what data is collected about them and how it is used;
  • Respect for Context
    Covered entities collect and use data in ways that are consistent with the context in which consumers provide such data. Would require internal reviews of privacy and security practices for data collected outside of such contexts.
  • Security
    Covered entities would be required to identify reasonable risks and implement safeguards designed to protect against breach, theft, loss, etc. of personal data.
  • Access and Accuracy
    Covered entities would be required to grant individuals access to, or an accurate representation of, data collected about them upon request. The consumer would have the right to correct or amend the data.

Enforcement

FTC and State AGs would be able to assess civil penalties.  Bill would preempt state laws.

Also creates Safe Harbor for enforceable industry codes of conduct.

Reaction

FTC-Logo

Federal Trade Commission Spokeperson

We are pleased that the Administration has made consumer privacy a priority, and this legislative proposal provides a good starting point for further discussion.  However, we have concerns that the draft bill does not provide consumers with the strong and enforceable protections needed to safeguard their privacy. We look forward to working with Congress and the Administration to strengthen the proposal.

Senator Ed Markey (D-MA)

While this proposal from the White House focuses attention on the need for strengthening the privacy rights of Americans, it falls far short of what is needed to ensure consumers and families are squarely in control of their personal data, Instead of codes of conduct developed by industries that have historically been opposed to strong privacy measures, we need uniform and legally-enforceable rules that companies must abide by and consumers can rely upon.

I am concerned that this proposal includes a provision that could preempt strong state laws that already are protecting the privacy rights of consumers. And I am especially concerned that companies and data brokers could be able to deny consumers the right to say no to selling their sensitive information for marketing purposes. Next week, I will introduce legislation that will allow consumers to access and correct their information to help ensure maximum accuracy. The bill also provides consumers with the right to stop data brokers from using, sharing, or selling their personal information for marketing purposes.  We need to put in place a system of rules that puts consumers in control of their information, not corporate interests and data reapers. I am committed to working with the White House and my Congressional colleagues to pass the strongest privacy legislation to protect American consumers.

Justin Brookman, Center for Democracy & Technology

Americans have long deserved comprehensive national consumer privacy legislation to protect their personal information. Unfortunately, the President’s bill falls short on the privacy protections needed in today’s digital world: it just has too many loopholes and doesn’t provide for meaningful enforcement. However, it’s encouraging that the President is working to advance privacy legislation and we remain committed to working with the Administration and Congress to improve this initial draft

John Simpson, Consumer Watchdog

The bill is full of loopholes and gives consumers no meaningful control of their data.

Jules Polonetsky and Chris Wolf, Future of Privacy Forum

Although the current system of FTC enforcement actions and strong sectoral laws provide important tools to address privacy harms, the ideas proposed in the bill are certain to help frame the discussion about privacy practices by companies and not-for profits in the future.  International data regulators should recognize that this bill is not a critique of the current system, but the opening of a nuanced conversation that seeks to balance benefit and risk, while being considerate of consumer right.

Alvaro M. Bedoya, Center on Privacy and Technolgy

Georgetown University Law Center

It would override state statutes that give people more protection.  It would be a significant setback for privacy.

Michael Beckerman, Internet Association

It is essential that any privacy rules are finely tailored to address specific harms, so that innovation, which benefits consumers and the economy, can continue to flourish. Today’s wide-ranging legislative proposal … casts a needlessly imprecise net.

Brendon Lynch, Mirosoft

The White House framework tackles issues that are crucial to build trust and foster innovation.  Not all will agree with every aspect of the proposal — some will say it goes too far, while others will say it doesn’t go far enough — but it’s a good place to start the conversation.