On February 27, 2015, the Obama Administration released a discussion draft of the Consumer Privacy Bill of Rights Act of 2015 (the “Privacy Act”), holding true to President Barack Obama’s commitment in 2012 to introduce legislation to put the Privacy Act’s principles into law. The Privacy Act is intended to “establish baseline protections for individual privacy in the commercial arena and to foster timely, flexible implementation of [the] protections through enforceable codes of conduct.”
The Privacy Act seeks to regulate a broad variety of covered entities, which are persons that collect, create, process, retain, use, or disclose personal data in or affecting interstate commerce. “Personal data” includes “any data under the control of a covered entity, not otherwise generally available to the public through lawful means, and are linked, or as a practical matter linkable by the covered entity, to a specific individual, or linked to a device that is associated with or routinely used by an individual.” While this definition is broad and even goes on to identify specific data elements that constitute personal data, the definition is not without its ambiguity. Of some note, the Privacy Act does not specifically identify geolocation data, which has become ubiquitous with the rise of mobile devices.
Title I of the Privacy Act includes the same privacy principles, but in greater detail, specified in the White House’s 2012 privacy framework, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Global Innovation in the Global Digital Economy.” The principles include:
- Transparency – Covered entities must provide individuals with notice about a covered entity’s privacy and security practices that is concise, easily understandable, timely, and accurate. Such notice must also contain the Privacy Act’s content requirements.
- Individual Control – Covered entities must provide individuals with reasonable means to control the processing of their personal data in a manner that is proportionate to the privacy risks to the individual and consent with context.
- Respect for Context – If a covered entity processes personal data in a manner that is not reasonable in light of context, the covered entity must conduct a privacy risk analysis that includes reviews of data sources, systems, information flows, partnering entities, and data and analysis uses to examine the potential privacy risks. Covered entities must also take reasonable steps to mitigate any identified privacy risks which include providing heightened transparency and individual control.
- Focused Collection and Responsible Use – Covered entities may only collect, retain, and use personal data in a manner that is reasonable in light of context, and must consider ways to minimize privacy risks when determining its personal data collection, retention, and use practices. In addition, covered entities must delete, destroy, or de-identify personal data within a reasonable time after it has fulfilled the purpose or purposes for which it was originally collected.
- Security – Covered entities must: identify reasonably foreseeable internal and external risks to the security of personal data; establish, implement and maintain safeguards reasonably designed to ensure the security of personal data; regularly assess the sufficiency of any safeguard in place; and evaluate and adjust safeguards in light of any changes that could materially impact the security of personal data.
- Access and Accuracy – Upon request by an individual, covered entities must provide that individual with reasonable access to, or an accurate representation of, personal data that both pertains to the individuals and that is under the control of the covered entity. Covered entities must also establish, implement, and maintain procedures to ensure that the person under its control is accurate.
- Accountability – covered entities must take measures that are consistent with the privacy risks associated with its personal data practices to ensure compliance with its obligations under the Privacy Act, which include: providing training to employees; conducting internal or independent evaluations of its privacy and data protections; utilizing privacy by design; and contractually binding third parties to comply with the Privacy Act’s requirements before disclosing personal data to them.
Enforcement authority of the Privacy Act rests with the Federal Trade Commission (“FTC”), and a violation of the Privacy Act’s requirements would constitute an unfair and or deceptive act or practice of Section 5 of the FTC Act. State Attorneys General are also granted enforcement authority to bring civil actions in Federal District Court if the violation causes harm to a substantial number of that State’s residents. The remedy for such actions is limited to injunctive relief, and State Attorneys’ General enforcement authority is precluded if the FTC has already initiated an enforcement action or if it intervenes to prosecute. Consumers will have no private right of action under the Privacy Act.
Covered entities can avoid a potential costly FTC enforcement action if they have maintained a public commitment to adhere to a FTC-approved code of conduct addressing data privacy and security. The Privacy Act would also preempt state law requirements “to the extent [they] impose requirements on covered entities with respect to personal data processing.” It does not, however, preempt state consumer protection laws, health information laws, data breach notification laws, or laws addressing the privacy of children or K-12 students.