President Obama continued his push for privacy legislation by recently unveiling a draft Consumer Privacy Bill of Rights Act (“Draft Bill”). To move forward, the Draft Bill must be sponsored by a member of Congress and is very likely to undergo substantial revisions both before that happens and after. According to press reports, the proposal has already drawn criticism from lawmakers, the Federal Trade Commission (FTC), industry associations and consumer advocates. Nonetheless, the Draft Bill provides insight into what the administration is thinking. The proposal would require covered entities to comply with so-called fair information practice principles (FIPPs) and impose civil penalties in the event of noncompliance, but it would also provide a safe harbor for those that adhere to codes of conduct approved by the FTC.

The Draft Bill defines personal data broadly, with a few exceptions, as any nonpublic data under the control of a covered entity that is linked or linkable not only to an individual, but even to his or her device. It would establish FIPPs-based obligations for a covered entity that collects, creates, processes, retains, uses or discloses personal data. These include requirements to...