White House Releases Proposed Consumer Privacy Bill of Rights
The White House released a discussion draft of legislation on protecting consumer privacy. The proposed Consumer Privacy Bill of Rights Act of 2015, released on February 27, 2015, broadly defines “personal data” subject to the legislation’s requirements and sets forth standards for protecting consumer privacy.
Among other things, the legislation would require businesses to provide individuals notice about their privacy and security practices. The notice must identify the data collected, the purpose for collecting the data, the persons to whom the data is disclosed, how to access the data, and the measures taken to secure the data. Individuals must be given the right to withdraw consent for the collection, disclosure, and use of their personal data.
In certain circumstances, a business may be required to conduct a “privacy risk analysis” and implement mitigation measures to protect personal data through “heightened transparency and individual control.”
Businesses would be allowed to collect, retain, and use personal data only in a manner that is “reasonable in light of context,” and must consider ways to minimize privacy risk, including deleting or destroying data within a reasonable time. Businesses also must “establish, implement, and maintain safeguards reasonably designed” to ensure the security of personal data. Businesses must ensure that personal data is “accurate” and provide a means for an individual to correct any inaccuracies.
Federal, state and local governments and smaller businesses would be exempt from the requirements of the legislation.
The bill grants enforcement powers to the Federal Trade Commission (FTC), including civil penalty authority up to $25 million per violation, and provides an 18-month transition period. Unless preempted by FTC enforcement action, state attorneys general would be authorized to seek injunctive relief in federal court to remedy violations of the legislation. The bill does not provide a private right of action.
Businesses could develop codes of privacy conduct for review by the FTC. If approved, compliance with the privacy codes of conduct would be a defense to alleged violations of the legislation.
The proposed legislation would preempt state and local privacy laws concerning the collection, disclosure and use of personal data, but does not preempt enforcement of state consumer protection laws.