The White House recently released draft legislation of the Consumer Privacy Bill of Rights Act of 2015 (the Act). The Act is based on seven key principles that extend beyond merely data use and security. Below we provide a brief summary of some notable aspects of the Act.
- Scope. The Act would apply to “covered entities,” which are, with a few exceptions, persons that collect, create, process, retain, use, or disclose personal data in or affecting interstate commerce. This far-reaching scope is amplified by the fact that “personal data” is defined broadly to include information that is not generally available and is linked or linkable to an individual (e.g., unique identifiers).
- Context. The context—the circumstances that surround a covered entity’s processing of personal data—plays an important role throughout the Act. For example, if personal data processing is not reasonable in light of the context, the covered entity, with some exceptions, would need to mitigate any identified privacy risks, including providing “heightened transparency and individual control,” which is only vaguely described.
- Privacy Risk. Many provisions of the Act are based on privacy risk—the potential for personal data to cause emotional distress or physical, financial, or other harm—rather than a privacy rights approach. For example, covered entities would need to provide individuals with reasonable means to control the processing of their personal data “in proportion to the privacy risk.”
- Privacy Practice Changes. The Act specifically addresses material changes to privacy practices and would require a covered entity to (i) provide clear and conspicuous descriptions of the changes in advance and (ii) provide individual controls designed to mitigate potential privacy risks related to previously collected personal data, which may include seeking express affirmative individual consent.
- Business Records Exception. Processing personal data for the purposes of “customary business records”—data typically collected in the ordinary course of business that is retained for generally accepted purposes for that business—is a notable exception to some of the Act’s requirements.
- Codes of Conduct. The Federal Trade Commission (FTC) would be involved with the approval of industry codes of conduct, which would be deemed compliant with the Act’s requirements and could lead to more predictability and flexibility in the Act’s implementation.
- Enforcement. The FTC would have the ability to issue civil penalties. The FTC could not, however, seek civil penalties based on a covered entity’s conduct during the first 18 months of its existence or processing of personal data. The Act expressly excludes any private right of action.
- Preemption. The Act would preempt state and local laws to the limited extent that such laws impose personal data processing obligations. The Act specifically excludes preemption of general consumer protection laws.
Because privacy advocates and the FTC have criticized the Act for being heavy on exceptions and light on consumer protections and enforcement, and because the business community has raised concerns regarding the Act’s lack of clarity and the risk of hampering innovation, it appears that there is a long road ahead for the Act, which may never make it through Congress.