Taking another “step” toward developing comprehensive privacy legislation, the White House has released a discussion draft of the Consumer Privacy Bill of Rights Act of 2015. The draft reflects the Fair Information Practice Principles (“FIPPs”) long championed by the Obama Administration, and calls on businesses engaged in the collection of consumer information (“covered entities”) to either abide by a Privacy Bill of Rights or engage in self-regulation. While commentators have suggested the proposal is dead on arrival (read here, here and here) , the Privacy Bill of Rights warrants attention because it will serve as jumping-off point for further legislative and policy discussions on consumer privacy rights.
A Privacy Bill of Rights Would Expand Consumer Control over Data Collection
The proposed Privacy Bill of Rights includes provisions mandating Transparency (§101), Individual Control (§102), Respect for Context (§103), Focused Collection and Responsible Use (§104), Security (§105), Access and Accuracy (§106), and Accountability (§107). (While data minimization was not a dedicated principle in the President’s version of the FIPPs, §104 addressing Focused Collection provides for limitations on data collection and retention.)
If passed into law, the Privacy Bill of Rights would require covered entities to provide transparent descriptions of their data collection practices, and face limitations on how and what data they are able to collect. This feature would expand consumers’ ability to choose what data to share with covered entities, and to control how covered entities process that data. And that feature would have a dramatic impact on passive data collection efforts common in web-based marketing and e-commerce activities.
Privacy Bill of Rights Hamstrung by Vague Definitions
The biggest barriers to the adoption of the proposed Privacy Bill of Rights are two vague concepts at its center—“Privacy Risk” and “Context.” Under the proposed legislation, “Privacy Risk,” focuses on the “potential for personal data, on its own or when linked to other information about an individual, to cause emotional distress, or physical, financial, professional or other harm to an individual.” (§ 4(g).) But the definition is so broad it would be nearly impossible for covered entities to tailor their conduct to comply with Privacy Bill of Rights. The definition of “Context” is similarly mystifying. It purports to focus on “the circumstances surrounding a covered entity’s processing of personal data” but quickly bogs down in an unwieldy 11-factor test.
Both concepts—which former White House Deputy CTO Nicole Wong called “mystifying”—make it difficult to assess the practical application of the Privacy Bill of Rights, and appear destined to undermine any chance of its passage.
Expanded Definition of Personal Information
The proposed Privacy Bill of Rights expands the definition of personal information found in most state data breach notification laws, and may prove attractive to state and federal legislators as voters continue to see privacy protection as an important issue. Under the proposal, “Personal Data” is defined as any data that is linked or linkable to a specific individual or “to a device that is associated with or routinely used by an individual.” (§ 4(a)(1).) The reference to devices is new, and if implemented in other legislation, it would dramatically expand the number of business activities involving the collection and use of personal data, and increase the chances that data security incidents will trigger notice requirements.
Giving the FTC a Bigger Stick
If the Privacy Bill of Rights becomes law, the FTC would be able to impose civil penalties of up to $25 million in the event of a violation with actual or implied knowledge under Section 5 of the FTC Act. State Attorneys General could seek injunctive relief, but there would be no private right of action.
Push Toward Self-Regulation
A key element of the White House proposal is the introduction of a safe-harbor for covered entities that adopt FTC-approved codes of conduct. While the process outlined in the proposal appears cumbersome (particularly given the FTC’s other mandates), the vague character of the concepts underlying the Privacy Bill of Rights, and the liability risks that raises, most covered entities would likely push to develop internal “codes of conduct governing the processing of personal data by a covered entity.” (§ 301(a).) The proposed safe-harbor’s rebuttal presumption that FTC-approved codes of conduct “provide equivalent or greater protections for personal data pertaining to individuals” makes the self-regulation even more attractive.
Although the White House proposal is unlikely to pass, its emphasis on expanding self-regulation should not be ignored. The FTC has long pushed companies to develop internal codes of conduct governing the collection and use of consumer information, and nothing in the Commission recent enforcement actions suggests this trend is abating. Given their current importance, it seems likely that future legislation will also push businesses to develop codes of conduct.