On February 27, the White House proposed a bill that would provide consumers with a “Privacy Bill of Rights” as well as provide an enforcement mechanism for data breach enforcement actions by the FTC and state attorneys general. The language used is similar to a proposal by the administration in 2012 which failed to gain Congressional approval.
While few believe that this exact proposed legislation will become law, the White House’s proposal certainly merits close attention given the vital role the Executive Branch plays in steering legislative policy. Industry experts inside the Beltway believe that federal data breach legislation may be the only significant pieces of legislation that have a chance of becoming law in 2015.
The so-called “Privacy Bill of Rights” would require covered entities to provide individuals with notice of the entity’s “privacy and security practices” “in concise and easily understandable language.” The notice would include, among others things, the personal data processed by that entity, the purpose for which the entity retains such data, to whom the entity discloses such data, a means by which individuals may revoke consent of the processing of personal data, and the measures taken to secure such personal information. Importantly, the draft bill of rights prohibits entities from reselling or reusing data in ways that would cause consumers fear or surprise.
The “Privacy Bill of Rights” would also require certain companies to conduct a privacy risk analysis and to “take reasonable steps to mitigate any identified privacy risks.” This risk analysis would require such companies to “conduct a privacy risk analysis including, but not limited to, review of data sources, systems, information flows, [and] partnering entities” (emphasis added). Such companies would be required to take reasonable steps to mitigate any identified privacy risks, which includes providing heightened transparency and individual control. In other words, a covered entity would be required to ensure not only that its own data collection and retention practices are reasonable, but also that the collection and retention practices of its “partnering entities” are also reasonable.
The “Privacy Bill of Rights” would require companies to consider the so-called “disparate impact” of big data algorithms – whether data mining, particularly from new online data sources, could result in discrimination against “individuals on the basis of age, race, color, religion, sex, sexual orientation, gender identity, disability, or national origin.” For example, an algorithm which screened for certain criteria could end up denying loans to people with disabilities, even if the software developers who created it didn’t intend to discriminate. Along those lines, the legislation would also require companies to take reasonable steps to ensure that personal data under its control is accurate.
Finally, the proposal would grant the FTC and state attorneys general enforcement authority, and it includes civil penalties for violations. It would also preempt any state laws governing consumer data, except for those pertaining to health information, financial information, data on minors and K-12 students, fraud and consumer safety, and state data breach notification laws. It would provide a qualified exemption for entities subject to specified federal privacy and data security laws, such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA).
According to Reuters, the proposal immediately sparked sharp reaction from the technology industry, with fears that the proposal would hurt innovation, and also from privacy advocacy groups that said it did not go far enough. The Wall Street Journal, quoting John M. Simpson, Consumer Watchdog’s director of the privacy project, noted that the draft legislation allows too much industry policing and “is full of loopholes and gives consumers no meaningful control of their data.”
Expect to see comparable draft legislation from Congress in the coming months.