TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Obama Stops by FTC; Announces Privacy Bills on ID Theft, Student Data, Consumer Privacy Related reading: PCLOB report further divides FISA Section 702 reauthorization talks


It’s a big day for privacy. Giving what he called a “sneak peak” into his State of the Union address, President Barack Obama stopped by the Federal Trade Commission (FTC) today to announce legislation he plans to introduce on consumer and student privacy. Calling on Congress to get behind him in a bipartisan way, Obama outlined forthcoming bills on identity theft and student privacy as well as an updated draft of the Consumer Privacy Bill of Rights.

“We pioneered the Internet,” Obama said of the United States. “But we also pioneered the Bill of Rights and a sense each of us as individuals have a sphere of privacy around us that should not be breached by our government but also by commercial interests.”

Privacy advocates are largely pleased with the announcements but say some are more likely to pass than others. Breach notification and student privacy? Likely. Consumer Privacy Bill of Rights? Let’s not get ahead of ourselves.

The Proposals

In February 2012, the White House released a consumer privacy whitepaper calling for a comprehensive, federal Consumer Privacy Bill of Rights that the administration drafted over two years’ time via consultations with stakeholders. Now, the Commerce Department has announced it has completed public consultations on a revised draft and will release the proposal within 45 days. Commerce has asked Congress to now begin “active consideration of it.”

In his State of the Union address, Obama will also introduce two new Acts: The Personal Data Notification and Protection Act would create a national standard for breach notification and establish a 30-day notification requirement upon discovery. It would also criminalize illicit overseas identity trade. Second is the Student Digital Privacy Act, which would require educational institutions to only use the data they collect for educational purposes, specifically banning companies from selling student data to third parties for unrelated purposes and from sending targeted ads based on that data.

Federal Breach Notification Bill

Chris Calabrese, senior policy director at the Center for Democracy and Technology, says the president's privacy announcement is a win for consumers and students in general, but a breach notification law is going to be tricky to get through Congress.

“It’s a pretty entrenched issue at this point, with companies having dealt now for a while with state privacy breach bills and not actually as eager to have national standards as they have been in the past,” he said, adding that consumer groups are concerned about preemption of state law.

Joseph Rubin, an attorney at Arnall Golden Gregory who often represents the business community including Fortune 1000 companies, agrees with Calabrese's concerns about preemption.

“I think that’s part of the balance the business community has to deal with,” he said. “We want a national standard, but if it goes too far or isn’t totally preemptive, it doesn’t add anything. The devil is in the details, and the details of various proposals have unfortunately thwarted efforts to pass legislation over the last decade.”

This go-round, he’s not thrilled with the time frame for breach notification.

“Thirty days seems awfully short,” he said. “It’s not impossible, but it depends on the standard of harm. If there’s not substantial risk of injury, we think notification is likely unnecessary.”

But Prof. Woodrow Hartzog of Samford University said many states already require notification in under 30 days as well as impose data security requirements.


U.S. President Barack Obama addresses the Federal Trade Commission.

"It's possible the legislation could be watered down and weaken stronger state laws," he said.

Rubin said industry would hope breach notification is administratively enforced, not through the courts and class-actions. It’s not insignificant, Rubin said, that Obama made the announcement at the FTC. Yes, that implies administrative enforcement, but it's also a concern for industry, because it seems to indicate the FTC would have rule-making authority and therefore civil penalty authority. This creates uncertainty for industry, he said, because recent cases like Wyndham have illustrated persisting questions in the court of public opinion about the clarity the FTC provides in regard to what you can and cannot do.

Janis Kestenbaum, who recently left her role as FTC Chairwoman Edith Ramirez’s advisor, also spoke of the importance of Obama choosing the FTC to launch the news.

“I think that shows his administration’s recognition for the important work the FTC’s doing in those areas,” she said.

Ramirez noted, as she introduced the president, his presence at the FTC underscores the significance of the FTC's work and highlights "our shared commitment to consumer privacy."

Consumer Privacy Bill of Rights

Calabrese calls the Consumer Bill of Rights a pretty “ambitious piece of legislation” but agrees it’s an important one.

The bill would apply to any individual's personal data, including in the aggregate. The White House bill’s provisions included granting consumers the right to exercise control over the data companies collect from them and how it’s used; the right to easily understandable and accessible information about privacy and security practices; the right to data access and to correct inaccurate data; the right to reasonable limits on the amount of data companies collect on them, and for companies to be held accountable by enforcement authorities in the case they don’t adhere.

“We’ve identified some basic principles to both protect personal privacy and ensure industry can keep innovating,” Obama said. “We believe there ought to be some basic, baseline protection across industries. I hope Congress joins us to make the Consumer Privacy Bill of Rights the law of the land.”

If Obama succeeds in getting it passed through Congress, it’d be a “really important marker for the future … A presidential administration writing good workable rules for how privacy legislation could work in the United States,” Calabrese said.

Student Privacy Legislation

David Hoffman, CIPP/US, global privacy officer at Intel, a provider of education services that has called for FERPA reform, said changes are critically needed to allow organizations to use data to improve education but simultaneously engender trust among parents, students and teachers. To date, that level of protection really hasn’t existed, he said.

Obama today announced that 75 companies have signed the Student Privacy Pledge, developed by the Future of Privacy Forum and the Software & Information Industry Association, in the name of progress despite an often gridlocked Congress. Companies that sign the pledge promise not to sell student information nor behaviorally target students and to only use data for authorized purposes.

“We won’t wait for legislation,” Obama said. “It’s the right thing to do. If you don’t join this effort,” he said of the industry, “we intend to make sure those schools and parents know you haven’t joined this effort.”

Obama said his proposals are basic, common-sense steps everyone should be able to support, from consumers to industry to Republicans to Democrats.

“This should not be a partisan issue. This should be something that unites all of us as Americans,” Obama said. “This transcends politics and ideology … everyone’s online. Everyone understands the risks and opportunities that are presented by this new world. Business leaders want their privacy and their children’s privacy just like everybody else does.”


If you want to comment on this post, you need to login.

  • comment Jon • Jan 12, 2015
    "But Prof. Woodrow Hartzog of Samford University said many states already require notification in under 30 days as well as impose data security requirements."  5 days for health care facilities in CA and insurers in CT.  But nothing else (14 days for to notify regulators in VT is not consumer notice, and Maine's 7 days after law enforcement delay is not "under 30 days").  30 days is lower than any other state's general breach notification requirements except Florida's, which is exactly 30 days.   (Pause video for John Stewart "What is wrong with you people?" face.)
  • comment Margaret • Jan 12, 2015
    And thirty days is not 24 hours (EU)!