On February 27, 2015, the Obama White House released an “Administration Discussion Draft” of its Consumer Privacy Bill of Rights Act of 2015 (Proposed Consumer Privacy Act).
The Proposed Consumer Privacy Act revises and builds on the “Consumer Privacy Bill of Rights” that the Obama White House released in its 2012 Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy report.
As described during President Obama’s January 12 visit to the Federal Trade Commission (FTC), the Proposed Consumer Privacy Act identifies seven “basic principles to both protect personal privacy and ensure that industry can keep innovating.” These seven principles are:
- Transparency (§101): Transparency is a principle frequently cited in guidance from the FTC, as well as self-regulatory framework, such as the Digital Advertising Alliance’s cross-industry code for interest based-advertising. The Proposed Consumer Privacy Act describes transparency as “concise and easily understandable language, accurate, clear, timely, and conspicuous notice about privacy and security practices.” The notice required from an entity subject to the Proposed Consumer Privacy Act (defined as a “covered entity” (CE)) must describe the entity’s collection, use, disclosure, retention, destruction and security practices.
- Individual Control (§102): The Individual Control principle means offering consumers a “reasonable means to control the processing (i.e., taking any action regarding) personal data about them in proportion to the privacy risk to the individual and consistent with context.” An individual must have a way to either withdraw consent related to his or her personal data that is “reasonably comparable” to the means by which the consent was initially granted consent or request that the CE “de-identify” (as defined in the Proposed Consumer Privacy Act) his or her personal data.
- Respect for Context (§103): Under the Respect for Context principle, a CE must process personal data reasonably “in light of context.” If the processing is not reasonable, the CE must undertake a “privacy risk analysis” to identify and take reasonable steps to mitigate privacy-related risk, including “heightened transparency and individual control,” such as just-in-time notices. Reasonableness is presumed when a CE’s personal data processing “fulfills an individual’s request.”
- Focused Collection and Responsible Use (§104): The Focused Collection and Responsible Use principle requires that a CE limit its collection, retention and use of personal data to a “manner that is reasonable in light of context.” The CE also must “delete, destroy, or de-identify” personal data within a “reasonable time” after the original purpose for its collection, retention, or use has been fulfilled.
- Security (§105): Under the Security principle, a CE must: identify internal and external “risks to privacy and security” of personal data; implement and maintain safeguards “reasonably designed” to secure personal data; regularly assess the efficacy of the safeguards, and adjust the safeguards to reflect material changes to business practices or “any other circumstances that create a material impact on the privacy or security” of personal data under the CE’s control. The [...]