Protection of highly sensitive personal information is a growing concern for most Americans in the ever-increasing digital age, especially in the wake of large-scale data breaches from leading retail brands and healthcare providers. Although protections currently exist to counteract unwanted dissemination of private information, as well as rules mandating notification when such unwanted dissemination occurs, this growing concern has prompted the White House and Congress to take steps toward increasing protections in the context of privacy laws.
On January 12, 2015, President Obama delivered remarks before the Federal Trade Commission in which he announced “new steps to protect the identities and privacy of the American people,” including the Consumer Privacy Bill of Rights, the Personal Data Notification and Protection Act, and the Student Digital Privacy Act.1 Each of these proposals would strengthen protections for either consumers or students and would create a uniform standard for privacy laws to replace piecemeal legislation enacted on a state-by-state basis. Although none of these proposed bills have been enacted into law, and neither the Consumer Privacy Bill of Rights nor the Student Digital Privacy Act have even been formally introduced to Congress, all have drawn wide attention and prompted a debate on how far privacy laws should extend.
Consumer Privacy Bill of Rights
On February 23, 2012, the White House published a whitepaper detailing President Obama’s plan for a universal framework implementing certain data privacy standards for corporations which collect and use individuals’ personal data. Following more than two years of consultation with industry participants, on February 27, 2015, the White House released a “discussion draft” of the Consumer Privacy Bill of Rights Act (CPBR), which is intended to be the cornerstone of the administration’s privacy framework.2 The CPBR is intended to “establish baseline protections for individual privacy in the commercial arena and to foster timely, flexible implementations of these protections through enforceable codes of conduct developed by diverse stakeholders.” It would preempt any state or local regulations to the extent that they impose requirements on personal data processing.
In particular, the CPBR is aimed at increasing both transparency in corporate data practices and individual control over the storage and use of personal data that companies collect and retain. With respect to transparency, a “covered entity” is required to provide clear and concise notice to individuals about a company’s privacy and security practices. Among other things, the notice must include information about the types of personal data processed by the covered entity, the purposes for which that data is used and to whom it will be disclosed, the specific measures taken to secure personal data, and the persons whom individuals may contact regarding the covered entity’s data processing.
Under the CPBR, individuals must also be given means to control the processing of their personal data that are reasonable in light of the potential privacy risks and the particular context. If a person withdraws consent for a covered entity to collect or maintain his or her personal data, the company must delete or de-identify the data within a “reasonable” time frame. Any covered entity which does not “process personal data in a manner that is reasonable in light of context” must conduct a privacy risk analysis and provide individuals with heightened transparency and a mechanism by which individuals may choose to reduce such privacy risk. An exemption from the heightened notice and control requirements is provided for companies that are supervised by FTC-approved Privacy Review Boards.
In addition, the CPBR requires the focused collection and responsible use of personal data, and covered entities must conduct a risk analysis of threats that could result in authorized disclosure of individuals’ information. Companies must also undertake certain internal measures to ensure compliance with the obligations of the CPBR, such as providing employee training and integrating consideration for privacy and data protections into the company’s systems.
Violations of the CPBR are treated as an unfair or deceptive act or practice in violation of Section 5 of the Federal Trade Commission Act, and the FTC may levy penalties of up to $25 million. Notably, the CPBR includes a safe harbor provision for covered entities that develop a code of conduct for the processing of personal data. The codes of conduct must undergo a public comment process and are subject to approval by the FTC, which turns on whether the code of conduct provides protections for personal data that are equal than or greater to those otherwise provided in the CPBR.
Reaction to the bill has been mixed. Among the bill’s biggest supporters is Microsoft, which lauded the CPBR as a “welcome development that [it] hope[s] will kick-start a much-needed conversation about how to protect people’s personal information.”3 The FTC, however, espoused concerns that the draft bill fails to provide the “strong and enforceable protections needed to safeguard [consumers’] privacy.”4 The FTC is in accord with this opinion, and the sentiment is also echoed by Democratic legislators, who fear that the bill falls short and believe that the emphasis on self-regulation is a flawed solution.
To that end, a coalition of privacy groups, including the Center for Digital Democracy, drafted a letter criticizing both the development of the CPBR—during which the White House allegedly shut out many privacy watchdog organizations from the consultation process—and the substance of the draft bill. The coalition argues that the draft bill does not vest enough power in the FTC and places too much discretion in the hands of companies through the many provisions aimed at self-regulation. Furthermore, the coalition is concerned that the bill may preempt stronger state legislation and could ultimately weaken privacy protections for many citizens.
Similarly critical are those in the tech industry, but for opposite reasons. The Internet Association is worried that the bill is “needlessly imprecise,”5 and the Consumer Electronics Association fears that it could be harmful to innovation. Differences aside, both the bill’s supporters and its detractors can agree that the legislation is not likely to pass in its current form, and the main value of the discussion draft is to engender a more robust dialogue around the privacy issues that are relevant in today’s digital age.
Personal Data Notification and Protection Act
As the rate of cyberattacks continues to rise, so do concerns from the public regarding the security of highly sensitive personal information in the custody of businesses. Although most states have enacted variations on legislation that mandate notification to individuals in the event of a breach or potential breach of personal, sensitive information,6 to date there is no uniform federal standard with which businesses are required to comply.
The Personal Data Notification and Protection Act, promoted by the White House and introduced to the U.S. House of Representatives on March 26, 2015, by Rep. James R. Langevin, would create a uniform notification standard with which businesses holding records for more than 10,000 individuals within any 12-month period must comply in the event “sensitive personally identifiable information” has been breached or “reasonably believed” to have been breached.7 Businesses would be required to notify customers within 30 days of discovering the breach, unless the Federal Trade Commission determined there would be no reasonable risk to customers or disclosure would be preempted by national security or other specifically enumerated concerns.8 The legislation would also criminalize illicit overseas identity trade. The bill, H.R. 1704, is currently before the U.S. House of Representatives and has been referred to the Committee on Energy and Commerce and the Committee on the Judiciary for comment.
Critics of the Personal Data Notification and Protection Act, such as various privacy advocacy groups, see this new legislation as weak and a barrier to effective and more extensive legislation already passed in a variety of states.9 After all, weaker federal legislation, if passed, would pre-empt state legislation and thus eliminate rights of citizens of states whose strong privacy standards currently provide additional protections not encompassed in H.R. 1704. Advocates, such as many financial and retail groups, feel that a uniform information-sharing policy would not only benefit businesses’ ability to comply with notification laws, but would also facilitate collaboration between industry and government to eradicate or lessen the threat of cybercriminals.
Student Digital Privacy Act
Following the wave of proposed legislation marked to ease general privacy concerns, the Student Digital Privacy Act aims to alleviate concerns that the private information of students in kindergarten through 12th-grade is being used commercially. Specifically, this proposed legislation would require educational institutions to use data collected on students in the classroom solely for educational purposes and would ban the sale or use of student data to third parties for unrelated, non-educational purposes, including targeted advertising and marketing. Although legislation currently exists to limit the sale or use of students’ private educational records, the fact that this legislation has not been updated in four decades has many concerned and has prompted calls from both the White House and many in Congress for an active reform of such protective legislation.
The bill, however, is already off to a rocky start. Set to introduce the bill on Monday, March 23, 2015, Reps. Jared Polis and Luke Messer delayed introduction of the bill to smooth out concerns voiced by advocacy groups. The Student Digital Privacy Act has garnered resistance from advocates on both sides of the debate, including those who favor self-regulation and those who call for stronger protections or consent requirements, such as those mandated in California under the Student Online Personal Information Protection Act. Despite some resistance, however, at least 75 companies have signed the Student Privacy Pledge, a promise, among other things, not to sell student information or behaviorally target students and to only use data for certain authorized purposes. Although draft proposals of the bill have been said to be circulating in Washington, D.C., no formal proposed bill has been released to the public or has been formally proposed in the U.S. House of Representatives or U.S. Senate.
1 The full text of President Obama’s remarks before the Federal Trade Commission can be found here: http://www.gpo.gov/fdsys/pkg/DCPD-201500022/pdf/DCPD-201500022.pdf.
2 The full text of the proposed legislation can be found here: https://www.whitehouse.gov/sites/default/files/omb/legislative/letters/cpbr-act-of-2015-discussion-draft.pdf.
3 The full text of Microsoft’s statement can be found here: http://blogs.microsoft.com/on-the-issues/2015/02/27/white-house-proposal-elevates-privacy-transparency-discussion/.
4 Andrea Peterson, “The White House’s draft of a consumer privacy bill is out – and even the FTC is worried,” The Washington Post, February 27, 2015, available at http://www.washingtonpost.com/blogs/the-switch/wp/2015/02/27/the-white-houses-draft-of-a-consumer-privacy-bill-is-out-and-even-the-ftc-is-worried/.
6 Reference to state-by-state privacy legislation requiring notification following security breaches of personally identifiable information can be found here: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx. Currently, Alabama, New Mexico, and South Dakota are the only states that have not enacted privacy breach notification legislation.
7 The bill as introduced to the 114th Congress can be found here: http://www.gpo.gov/fdsys/pkg/BILLS-114hr1704ih/pdf/BILLS-114hr1704ih.pdf.
8 The Federal Trade Commission could delay notification time upon determining a delay would prevent further breaches or would be necessary to determine the scope of the breach.
9 California and Connecticut, for example, have five-day notification requirements as compared with the proposed 30-day notification requirements in H.R. 1704.