TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout



President Barack Obama has outlined his privacy and data security agenda in a significant policy address at the Federal Trade Commission (FTC)—hitting upon issues now so important to him that they will be included in his State of the Union Address.

The first thing to note here is that the FTC is an independent federal agency made up of five commissioners (three from the President’s party and two from the other party). By giving the speech at the FTC, the president is trying to communicate that the administration and at least a majority of the FTC commissioners are aligned on key privacy and data security initiatives. Whether that combined will can be translated into new legislation passed by a House and Senate controlled by Republicans, two years before a presidential election, remains to be seen.

Some of what the president is proposing has been proposed by him before, while other aspects are new. If all passed, the result would be a sea-change in privacy law in the USA. It won’t, but some of it might.

Data Breach Notification Legislation

The cornerstone of the president’s agenda comprises two proposed bills. The Personal Data Notification & Protection Act would require companies to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach, while providing companies with the certainty of a single, national standard. The president’s press release states it will also criminalize illicit overseas trade in identities.

In order to get through Congress, it is likely this bill will need to have a provision preempting state data breach notification laws. Republicans are also likely to insist that there be no private right of action, but rather the bill be enforced by the FTC, pursuant to trade regulation rulemaking authority, and state attorneys general. The Republican Congress is also likely to keep this bill in a procedural posture—what notice to send and when—as opposed to giving the FTC authority to prescribe substantive data security rules.

Student Privacy Legislation

Obama will also propose a student privacy bill modeled on California’s new student privacy law. Specifically, it would prevent companies working for school districts from selling student data to third parties for purposes unrelated to the educational mission and from engaging in targeted advertising to students based on data collected in school—while still permitting important research initiatives to improve student learning outcomes and efforts by companies to continuously improve the effectiveness of their learning technology products.

Anything involving protecting kids’ privacy is likely to have an easier time in a divided government. Nevertheless, the Republicans are likely going to want to ensure that the bill gives companies adequate authority to use the data they collect for their own analytics and product improvement, and to share it with their own service providers.

Privacy Bill of Rights

The president, through the Department of Commerce, proposed a comprehensive “Consumer Privacy Bill of Rights” in 2012. Today’s White House press release says the Commerce Department has announced it has completed its public consultation on revised draft legislation enshrining those principles into law. Accordingly, Obama announced today that within 45 days, his administration will release this revised legislative proposal and called on Congress to begin active consideration of this important issue.

Omnibus privacy legislation has been floated multiple times since at least 2001. It is a very difficult legislative pull, with issues involving everything from scope—what’s included and what’s not—to the detail of the requirements on the public sector, to the power of the FTC to draft trade regulation rules enshrining the law into the Code of Federal Regulations, to whether the FTC would be able to seek civil penalties for violations of the law, to familiar issues of preemption and a private right of action.

In a presidential election cycle, with Republicans holding both houses of Congress, and with the focus on data security, this bill will have a difficult time becoming law. This is a very ambitious agenda, and the President will need to work hard even to get parts of it through the Republican Congress. It will be an interesting 2015!

Top image from President Barack Obama's speech at the FTC on Monday, January 12, 2015.


If you want to comment on this post, you need to login.

  • comment Lane • Jan 13, 2015
    Something critical to watch regarding the Student Privacy issue- The identity of each individual student should be kept confidential.  If tracking of progress on an individual basis is needed (for research, or whatever), ID's shoul dbe assigned, and kept private from anyone outside of the school.  Some schools have wisely already adopted this policy.  To do otherwise, exposes the students to breach of privacy (including government intrusion where it does not belong).  (*This issue has surfaced in part due to the data mining efforts related to Common Core.)
  • comment Michaela • Jan 13, 2015
    Nicely covered.  However, I'm truly wondering when we will find privacy from the government in there.  Bulk surveillance continues unabated, warrantless search and seizure remains the law of the land for various electronic communications, and despite promises made by Candidate Obama, nothing whatsoever has been done to stop these intrusions.  Switching back to the private sector for a moment, what good will any of these proposed laws do for you and me without a private cause of action built in?  These proposals are way too little.