The White House, on February 23, 2012, released its long-awaited Consumer Privacy Bill of Rights ("Consumer Privacy Bill of Rights") as part of a White House Report1 on consumer data privacy that according to the White House will provide a baseline of clear data privacy protection for consumers as well as greater certainty for companies.2 While the Consumer Privacy Bill of Rights itself does not create any legal obligations for companies at this time, the White House intends the Consumer Privacy Bill of Rights to be used as a framework by both federal lawmakers and stakeholders to create federal data privacy legislation and enforceable codes of conduct.
The main principles of the Consumer Privacy Bill of Rights are, not surprisingly, similar to the core principles of European Union privacy law. Implementation of this Bill of Rights through legislation would help harmonize US privacy laws with Europe as well the Asia-Pacific Economic Cooperation ("APEC") privacy framework recognized by APEC member economies. The elements of the Consumer Privacy Bill of Rights are:
(1) Individual Control: Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.
(2) Transparency: Consumers have a right to easily understandable information about privacy and security practices.
(3) Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
(4) Security: Consumers have a right to secure and responsible handling of personal data.
(5) Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
(6) Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
(7) Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill.3
In order to enforce these principles and hold organizations accountable for their data privacy practices, the White House has tasked the Department of Commerce's National Telecommunications and Information Administration ("NTIA") to work with stakeholders to develop enforceable codes of conduct, based on the Consumer Privacy Bill of Rights, that would be binding on companies that adopt such codes of conduct.4 Compliance with the codes of conduct would be enforced by the Federal Trade Commission ("FTC") pursuant to its authority under the FTC Act5 to take action against companies that engage in unfair or deceptive trade acts in interstate commerce.6 As a result, companies that voluntarily adopt a code of conduct will make commitments that are legally enforceable by the FTC. While adoption of these codes of conduct would be voluntary, the White House believes that by requiring the FTC to consider a company's adherence to a code favorably during enforcement actions, companies will be incentivized to voluntarily adopt acceptable codes of conduct.7 Enforcement over the years in this area by the FTC has not been extensive and the penalties in most cases have not been substantial. It is not clear whether this is due to challenges with existing law or if there is a lack of sufficient funding and resources. Notably, the White House Report does not discuss FTC funding for this added responsibility, and it remains to be seen how many additional resources the FTC will be able to devote to such investigations and enforcement actions.
Along with the development of enforceable codes of conduct by stakeholders, the White House Report urges Congress to pass federal legislation that codifies the Consumer Privacy Bill of Rights;8 and grant the FTC and State Attorney Generals direct authority to enforce the statutory Consumer Privacy Bill of Rights.9 The White House Report also recommends that federal legislation preempt state laws to the extent that such laws are inconsistent with the Consumer Privacy Bill of Rights in order to create a national standard for data privacy.10 As readers of our Technology Newsflash know, one of the significant challenges in this area has been navigating the existing patchwork of federal and state laws. The White House Report also urges the creation of a national standard for data security breach notification that would replace the various state breach notification laws.11 Congress should provide forbearance to companies that adopt and comply with FTC approved codes of conduct from enforcement of state data privacy laws.12
The White House further suggests that new federal legislation should not displace existing sectoral federal laws and companies that are subject to existing federal data privacy laws should be exempt from new legislation to the extent their activities are covered by existing federal laws.13 This reference is to existing protections that exist for industries such as financial services and healthcare which have been in place for years.
Finally, the White House supports the creation of a safe harbor program administered by the FTC that would allow companies that adopt FTC approved codes of conduct to receive forbearance from enforcement of the statutory Consumer Privacy Bill of Rights.14 Companies that do not adopt a FTC approved code of conduct would be subject to the general requirements of any legislatively adopted Consumer Privacy Bill of Rights.15 This is an important balance because a number of online industries have flourished as the government chose to not legislate in this area and what is proposed, while not usual to citizens of other countries, would represent a significant change in the law for American citizens and businesses. Businesses would simply need, and should receive, adequate time to adapt.
Several members of Congress have shown support for federal data privacy legislation over the last year as evidenced by the previously discussed data privacy bills introduced in Congress. The White House Report is likely to invigorate this discussion, and it would not be surprising to see a member of Congress introducing a federal data privacy bill that contains the basic principles of the White House's Consumer Privacy Bill of Rights. The proposal is very appealing for political reasons, but it will be interesting to see if legislation gets passed this time given that similar initiatives have failed over the past few years.
1 - The White House, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (February 2012), www.whitehouse.gov/sites/default/files/privacy-final.pdf.
2 - Id. at 1.
3 - Id. at 47.
4 - Id. at 26-27.
5 - Federal Trade Commission Act, § 5, 15 U.S.C. § 45 (2006).
6 - White House Report, supra note 1, at 27.
7 - Id. at 24.
8 - Id. at 35.
9 - Id. at 36.
10 - Id. at 37.
11 - Id. at 39.
12 - Id. at 37.
13 - Id. at 38.
14 - Id. at 37.
15 - Id.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.