President Barack Obama has outlined his privacy and data security agenda in a significant policy address at the Federal Trade Commission (FTC)—hitting upon issues now so important to him that they will be included in his State of the Union Address.
The first thing to note here is that the FTC is an independent federal agency made up of five commissioners (three from the President’s party and two from the other party). By giving the speech at the FTC, the president is trying to communicate that the administration and at least a majority of the FTC commissioners are aligned on key privacy and data security initiatives. Whether that combined will can be translated into new legislation passed by a House and Senate controlled by Republicans, two years before a presidential election, remains to be seen.
Some of what the president is proposing has been proposed by him before, while other aspects are new. If all passed, the result would be a sea-change in privacy law in the USA. It won’t, but some of it might.
Data Breach Notification Legislation
The cornerstone of the president’s agenda comprises two proposed bills. The Personal Data Notification & Protection Act would require companies to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach, while providing companies with the certainty of a single, national standard. The president’s press release states it will also criminalize illicit overseas trade in identities.
In order to get through Congress, it is likely this bill will need to have a provision preempting state data breach notification laws. Republicans are also likely to insist that there be no private right of action, but rather the bill be enforced by the FTC, pursuant to trade regulation rulemaking authority, and state attorneys general. The Republican Congress is also likely to keep this bill in a procedural posture—what notice to send and when—as opposed to giving the FTC authority to prescribe substantive data security rules.
Student Privacy Legislation
Obama will also propose a student privacy bill modeled on California’s new student privacy law. Specifically, it would prevent companies working for school districts from selling student data to third parties for purposes unrelated to the educational mission and from engaging in targeted advertising to students based on data collected in school—while still permitting important research initiatives to improve student learning outcomes and efforts by companies to continuously improve the effectiveness of their learning technology products.
Anything involving protecting kids’ privacy is likely to have an easier time in a divided government. Nevertheless, the Republicans are likely going to want to ensure that the bill gives companies adequate authority to use the data they collect for their own analytics and product improvement, and to share it with their own service providers.
Privacy Bill of Rights
The president, through the Department of Commerce, proposed a comprehensive “Consumer Privacy Bill of Rights” in 2012. Today’s White House press release says the Commerce Department has announced it has completed its public consultation on revised draft legislation enshrining those principles into law. Accordingly, Obama announced today that within 45 days, his administration will release this revised legislative proposal and called on Congress to begin active consideration of this important issue.
Omnibus privacy legislation has been floated multiple times since at least 2001. It is a very difficult legislative pull, with issues involving everything from scope—what’s included and what’s not—to the detail of the requirements on the public sector, to the power of the FTC to draft trade regulation rules enshrining the law into the Code of Federal Regulations, to whether the FTC would be able to seek civil penalties for violations of the law, to familiar issues of preemption and a private right of action.
In a presidential election cycle, with Republicans holding both houses of Congress, and with the focus on data security, this bill will have a difficult time becoming law. This is a very ambitious agenda, and the President will need to work hard even to get parts of it through the Republican Congress. It will be an interesting 2015!
Top image from President Barack Obama's speech at the FTC on Monday, January 12, 2015.