Administration Discussion Draft: Consumer Privacy Bill of Rights Act of 2015
On February 27, 2015, President Obama released an administration draft of a proposed Consumer Privacy Bill of Rights Act. The proposed bill’s stated purpose is to “establish baseline protections for individual privacy in the commercial arena and to foster timely, flexible implementations of these protections through enforceable codes of conduct developed by diverse stakeholders.”
The draft bill is intended to act as a baseline privacy law to control all kinds of personal information and address critical privacy issues presented by the ever-increasing collection and use of private information. The proposed new framework is meant to fill in the gaps between existing privacy legislation, such as the Fair Credit Reporting Act and the Video Privacy Protection Act, which is scattered over different sectors and has inconsistent standards. President Obama previously introduced a framework of consumer privacy law in 2012.
At its core, the draft bill requires industries to develop their own “codes of conduct” on the handling of consumer information and charges the Federal Trade Commission (“FTC”) and state attorneys general with enforcement The draft bill adopts a wide definition of covered entities, including any entity that “collects, creates, processes, retains, uses, or discloses personal data in or affecting interstate commerce.” Its definition of "personal data" is similarly broad, and includes most non-public data that can be linked to a specific individual or device. However, critics such as the New York Times editorial board express concerns about the broad range of exceptions not covered by the draft bill. These exceptions include de-identified data, deleted data, employee business information, and information used or disclosed to respond to cybersecurity threats. Several entities are also exempt as well, including businesses that have fewer than 5 employees or that process Personal Data from fewer than 10,000 individuals or devices each year. Businesses would also not be liable for violations in the first 18 months they create or process personal data.
Understandably, the draft bill has provoked strong reactions from both consumers and industry members. The Information Technology Industry Council released a statement that said the discussion draft "continues the important dialogue" around privacy practices and urged that modifications to the existing framework “be carefully considered with a meaningful opportunity for all relevant stakeholders to participate in the process.” Fourteen privacy advocacy groups, including New America’s Open Technology Institute (“OTI”), the Electronic Frontier Foundation, the National Consumers League, and Public Knowledge, sent an open letter to the White House enumerating several concerns about the proposed act. The letter states that the draft bill was a good start but not strong enough. OTI criticized several portions of the proposal, saying that its faults included “overly broad exceptions to the protections the bill would create, a framework that would task the Federal Trade Commission with review of what could be hundreds of proposed ‘Codes of Conduct,’ and a provision that would invalidate numerous state-level privacy laws without replacing them with protections that are clearly stronger.” EPIC expresses similar views and criticizes the draft as “not helpful, unworkable,” and falling short of the 2012 framework issued by President Obama. EPIC declares that the draft bill “lacks meaningful protections for consumers, would preempt stronger state laws, and creates unnecessary regulatory burdens for businesses.”
The FTC, the major enforcement body of the proposed Act, conveyed its support but also pointed out the weakness of the draft bill. The National Law Review reports on comments made by FTC Commissioner Julie Brill on March 5 at the annual U.S. meeting of the International Association of Privacy Professionals that the draft bill is not protective enough of consumers. According to the National Law Review, Commissioner Brill “would like to see the bill require affirmative express consent of the individual for (a) material retroactive changes to a privacy statement and (b) use of sensitive information out of context of the transaction in which it was collected.” Such an attitude may have major impacts for industries and data brokers handling massive amounts of “out of context” data.
Many individuals, including Commissioner Brill, have stated that they assume the bill is unlikely to become law during this session of Congress. Among other hurdles, the proposed Act would need a congressional sponsor before being officially introduced. However, as the Christian Science Monitor comments, the administration’s proposal has provided “a framework for a national discussion about privacy regulation,” and that is what matters most now.
Lan Du is a LLM student in the Class 2015 of Harvard Law School.