The Obama White House recently released its draft Consumer Privacy Bill of Rights Act (pdf) and a fact sheet. Parts of the draft legislation date to a 2012 white paper (pdf) that laid out a plan to better protect consumer privacy. And last year, the big data group that the White House convened also issued recommendations on privacy (pdf).
The White House has taken important steps in highlighting that individuals need strong privacy protections for their data and in creating the draft legislation. And it is important that the draft legislation attempts to implement the Fair Information Practices: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability. For example, the draft legislation gives several options for responding to companies that would violate the bill’s provisions, including allowing individuals and states attorneys general to file lawsuits.
But there are several significant problems with the proposal that need to be addressed before it can move forward. (The draft does not yet have a legislative sponsor, which it would need in order to be introduced and debated in Congress.)
One problem with the legislation: It would preempt state laws.
SEC. 401. Preemption.
(a) In General.—This Act preempts any provision of a statute, regulation, or rule of a State or local government, with respect to those entities covered pursuant to this Act, to the extent that the provision imposes requirements on covered entities with respect to personal data processing.
This is a substantial problem, because there are some state laws that offer very strong protections for individuals’ data, including biometric data (which is included in the draft legislation under the definition of “personal data”). For example, Texas prohibits the collection of “a biometric identifier of an individual for a commercial purpose unless the person: (1) informs the individual before capturing the biometric identifier; and (2) receives the individual’s consent to capture the biometric identifier.” The state also regulates the use, distribution, storage and destruction of such biometric data (Bus. & Com. Code Ann. § 503.001).
Illinois has its Biometric Information Privacy Act (740 ILCS 14), which includes a provision that: “No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information, unless it first” gives written notice of such collection (including “specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used”) and gets written consent from the individual.
A second problem: The draft legislation would allow companies to create their own codes of conduct, which the Federal Trade Commission would have to vet.
The legislation says, “Enforceable codes of conduct developed through open, transparent processes will provide certainty for businesses and strong privacy protections for individuals.” But the codes of conduct experiment (also known as industry self-regulation) has been tried and failed. Examples include: the Network Advertising Alliance and the Online Privacy Alliance. For detailed information, see the World Privacy Forum’s 2011 report, “Many Failures: A Brief History of Privacy Self-Regulation.”
Included in this codes of conduct “safe harbor,” is a provision allowing new companies to get an 18-month exemption from privacy requirements for data collection and use. (SEC. 201. Enforcement by the Federal Trade Commission. (b)(1)(B) “Exception.—The Commission shall not bring an enforcement action for violations of Title I of this Act seeking civil penalties based on a covered entity’s conduct undertaken within the first eighteen months after the date the covered entity first created or processed personal data.”)
A third problem: There are a variety of loopholes for companies to avoid both following strong privacy protections for individuals’ data and suffering any penalties.
For example, let’s look to how the draft legislation seeks to implement the Fair Information Practices, set out in the 1970s, which have informed the privacy conversation ever since. Congress has reaffirmed its commitment to the Fair Information Practices numerous times. Congress used the Fair Information Practices as the basis of the Privacy Act of 1974, which restricts the amount of personal data that Federal agencies can collect and requires agencies to be transparent in their information practices. When Congress created the Department of Homeland Security’s Privacy Office several years ago, Fair Information Practices were included in the establishing legislation.
The FIPs include provisions for data quality, individual participation, and accountability. Under the “Access and Accuracy” section of the draft legislation, any covered company “shall, upon the request of an individual, provide that individual with reasonable access to, or an accurate representation of, personal data that both pertains to such individual and is under the control of such covered entity.” However, there are exceptions to this data access provision, an important one to ensure data quality (for accuracy of the information), individual participation (for consumer access to the data), and accountability (to ensure that companies follow standards ensuring the data is correct). One exception: An individual can be denied access to the data that a company holds about him or her if the company deems that “such request for access is frivolous or vexatious.”
Here’s the relevant section of the draft legislation:
SEC. 106. Access and Accuracy.
(1) In General.—Each covered entity shall, upon the request of an individual, provide that individual with reasonable access to, or an accurate representation of, personal data that both pertains to such individual and is under the control of such covered entity. The degree and means of any access shall be reasonable and appropriate for the privacy risks associated with the personal data, the risk of adverse action against the individual if the data is inaccurate, and the cost to the covered entity of providing access to the individual.
(2) Limitations.—A covered entity shall not be required to provide such access if—
(A) the individual requesting access cannot reasonably verify his or her identity as the person to whom the personal data pertains;
(B) access by the individual to the personal data is limited by applicable law or legally recognized privilege, or any applicable First Amendment interest of the covered entity in that personal data;
(C) access by the individual would compromise a fraud investigation or a law enforcement, intelligence or national security purpose; or
(D) such request for access is frivolous or vexatious.
“There is rapid growth in the volume and variety of personal data being generated, collected, stored, and analyzed. This growth has the potential for great benefits to human knowledge, technological innovation, and economic growth, but also the potential to harm individual privacy and freedom,” the draft legislation says. “Laws must keep pace as technology and businesses practices evolve.”
As there continues to be an increasing collection of users’ online and offline data in order to create a detailed personal profile of individuals’ activities, it is imperative that our privacy laws have strong protections for individuals’ data and provisions for individual access, correction and deletion of such data. The draft legislation is a good step toward a discussion of better privacy legislation, but it does not go far enough.