White House Re-Introduces Consumer Privacy Bill of Rights Act | White & Case LLP International Law Firm, Global Law Practice
White House Re-Introduces Consumer Privacy Bill of Rights Act

White House Re-Introduces Consumer Privacy Bill of Rights Act

White & Case Technology Newsflash

On February 27, 2015, President Obama unveiled the Consumer Privacy Bill of Rights Act of 2015, a draft bill intended to govern the collection and dissemination of consumer data. The Privacy Bill of Rights is a revival of draft legislation the White House first introduced in 2012.[1] It is being re-introduced as a companion to the Data Security and Breach Notification Act of 2015, which would require organizations to disclose data breaches in a timely manner to mitigate risk of identity theft.[2]

The White House says the proposed bill is intended to start talks with Congress, consumers, and industry leaders with the end-goal of passing federal privacy legislation. "The draft seeks to provide customers with more control over their data, companies with clearer ways to signal their responsible stewardship over data, and everyone with the flexibility to continue innovating in the digital age," a spokesperson for the White House said.[3]

The bill has been lauded by some as a step toward improving public perception and trust of big data aggregators: "The proposed Consumer Privacy Bill of Rights holds the potential to help not only consumers, but businesses as well," said Sarah Cortes of Northeastern University in Boston. "In today's global marketplace, consumers outside the U.S. form a huge and growing market. Establishing that U.S. enterprises must meet a high regulatory standard in consumer privacy provides a competitive advantage for U.S. companies."[4]

Critics say the bill will do little to deter privacy violations because of relatively weak enforcement provisions.[5] Most notably, fines for violations are calculated not by the number of affected individuals, but by the number of days during which a violation occurs. Thus, if a company were to sell millions of personal records in one day in violation of the proposed law, it would face a maximum fine of $35,000, and new companies are exempt from any penalties for the first 18 months of their existence.[6]

The bill would also allow businesses[7] to draft their own codes of conduct and "privacy review boards," if they wish, for the protection of consumer data, which the Federal Trade Commission would then review and approve or deny as being in compliance with the proposed law.[8] Critics say this places too much discretion in the hands of companies concerning the protections consumers would receive and loopholes companies could provide themselves.[9] "Instead of codes of conduct developed by industries that have historically been opposed to strong privacy measures, we need uniform and legally enforceable rules that companies must abide by and consumers can rely on," said Senator Edward J. Market of Massachusetts.[10] Moreover, the bill allows only 90 days for the FTC to review the proposed code of conduct, which some say is insufficient for what could be hundreds of proposed codes developed by businesses at any given time.[11]

The proposed legislation would preempt most state privacy and data security laws, with such exceptions as privacy tort laws, state data breach notification laws, and privacy laws affecting minors.[12] Privacy advocacy groups worry the law would preempt strong state laws "without creating new protections that are clearly better."[13]

The bill has a long way to go before it would become law, but it is a first step to establishing a national privacy law that sets the standard for protection of consumer data by U.S. businesses.

 

[1] - Analysis of the Consumer Privacy Bill of Rights Act, Center for Democracy & Technology (March 2, 2015), available at: https://cdt.org/insight/analysis-of-the-consumer-privacy-bill-of-rights-act
[2] - Id.
[3] - Emily Field, Consumer Privacy Bill of Rights Falls Short, Groups Say, Law 360 (Mar. 4, 2015), available at: http://www.law360.com/articles/627415/consumer-privacy-bill-of-rights-falls-short-groups-say  
[4] - Analysis of the Consumer Privacy Bill of Rights Act, supra.
[5] - Analysis of the Consumer Privacy Bill of Rights Act, supra.
[6] - Id.
[7] - The bill covers any person or entity that collects, creates, processes, retains, uses, or discloses personal data in or affecting interstate commerce. Administration Discussion Draft: Consumer Privacy Bill of Rights Act, § 4(b) (Feb. 27, 2015).
[8] - When promulgating regulations under this subsection, the FCC shall consider, among other factors: the range of evaluation processes suitable for covered entities of various sizes, experiences, and resources; the range of evaluation processes suitable for the privacy risks posed by various types of personal data; the costs and benefits of levels of independence and expertise; the costs and benefits of levels of transparency and confidentiality; the importance of mitigating privacy risks; the importance of expedient determinations; and whether differing requirements are appropriate for Boards that are internal or external to covered entities. Id. § 103(e).
[9] - Emily Field, Consumer Privacy Bill of Rights Falls Short, Groups Say, supra.
[10] - Emily Field, White House Unveils Consumer Privacy Bill of Rights, Law 360 (Feb. 27, 2015), available at: http://www.law360.com/articles/626215/white-house-unveils-consumer-privacy-bill-of-rights
[11] - Emily Field, Consumer Privacy Bill of Rights Falls Short, Groups Say, supra.
[12] - Administration Discussion Draft: Consumer Privacy Bill of Rights Act, § 401 (Feb. 27, 2015).
[13] - Emily Field, Consumer Privacy Bill of Rights Falls Short, Groups Say, Law 360 (Mar. 4, 2015), available at: http://www.law360.com/articles/627415/consumer-privacy-bill-of-rights-falls-short-groups-say

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2015 White & Case LLP