President Obama has finally revealed the text of draft legislation that would establish “baseline protections” for consumers under a proposed Consumer Privacy Bill of Rights. The bill would impose new legal requirements on any company that engages in interstate commerce, subject to certain important exceptions discussed below. Some of these requirements include:
-
Transparency (providing consumers with a privacy policy)
-
Control (establishing a reasonable mechanism for consumers to grant and withdraw consent)
-
Use Limitation (minimize privacy risk through data collection /retention policies)
-
Security (identification, establishment, and assessment of reasonable safeguards)
-
Access/Accuracy (mechanism for consumers to review and correct any personal data)
-
Accountability (privacy training, privacy audits, Privacy by Design, third-party vendor privacy oversight)
Additionally, companies within an industry have the option to develop codes of conduct that would provide a safe harbor from enforcement under the Consumer Privacy Bill of Rights. The codes of conduct would need to provide equal or greater protections for personal data and would have to be approved by the U.S. Department of Commerce or the Federal Trade Commission.
Other provisions of the bill that may be of particular interest include:
-
Federal Trade Commission: The bill would finally grant the FTC express rulemaking and enforcement authority over company privacy practices.
-
Legal Standard: The bill would establish a “reasonableness” standard to determine what policies and practices are appropriate given the context of a particular company’s privacy risk.
-
Disparate Impact: The bill would require companies to conduct a disparate impact analysis to ensure they are avoiding discriminatory privacy practices.
-
Personal Devices/Vehicles: The bill would expand the definition of personal data beyond traditional forms of personally identifiable information and include unique identifiers of personal devices, as well as unique vehicle identifiers.
-
Small Businesses: The bill contains a number of exemptions for small businesses, including businesses that collect, create, process, use, retain, or disclose the personal data of fewer than 10,000 individuals or devices in a 12-month period; or businesses with fewer than 25 employees.
-
Preemption: Although the bill would preempt certain state laws that address “personal data processing,” the bill fails to preempt the patchwork of state laws imposing breach notification requirements on companies.
-
No Private Right of Action: The bill does not provide consumers with a private right of action.
-
Exemptions: The bill exempts an array of companies that are already subject to federal privacy laws, such as the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act.
The newly released draft bill text closely follows a number of other privacy initiatives that the President announced earlier this year (more details available in our prior alert). Consumer advocates such as the Center for Democracy and Technology have already begun to criticize the bill and call for stronger privacy protections for consumers.
Given the heightened federal attention to threats against consumers’ personal and financial information, companies should be monitoring any federal developments and be prepared to enhance their existing privacy and data security policies and procedures to address new statutory or regulatory requirements. Ballard Spahr's Privacy and Data Security Group monitors legislative and regulatory developments at both the federal and state levels and can assist with establishing or enhancing cybersecurity programs.
