The White House released what it’s calling a “discussion draft” of its Consumer Privacy Bill of Rights (CPBR) late Friday. The bill aims to “establish baseline protections for individual privacy in the commercial arena and to foster timely, flexible implementations of these protections through enforceable codes of conduct developed by diverse stakeholders.”
The highly anticipated release comes the promised 45 days after President Barack Obama appeared at the Federal Trade Commission (FTC) to lay out the administration’s intentions.
According to the draft discussion bill, industries would create codes of conduct for data privacy standards and implement privacy review boards that would be overseen by the FTC. The CPBR also calls on businesses to be transparent about their data practices in “concise and easily understandable language.” Consumers should also have a means to see, correct and delete personal data held by companies, and those same businesses should not sell personal data to third parties in ways that would surprise consumers.
Microsoft applauded the proposed bill. Chief Privacy Officer Brendon Lynch, CIPP/US, in a blog post, welcomed the White House bill in the hopes it “will kick-start a much needed conversation about how to protect people’s personal information” and help “build trust and foster innovation.”
Future of Privacy Forum (FPF) Co-Chairs Jules Polonetsky, CIPP/US, and Christopher Wolf said, “International data regulators should recognize that this bill is not a critique of the current system but the opening of a nuanced conversation that seeks to balance benefit and risk, while being considerate of consumer rights.”
However, several sources from across the spectrum are criticizing the bill. The FTC, which is the center of much of the legislation, said is is “pleased that the administration has made consumer privacy a priority” but has "concerns that the draft bill does not provide consumers with the strong and enforceable protection needed to safeguard their privacy.”
Democrats, tech groups and privacy advocates are also concerned with the bill.
Sen. Ed Markey (D-MA), who is releasing privacy legislation of his own, said the bill “falls short of what is needed to ensure consumers and families are squarely in control of their personal data.” He said “instead of codes of conduct developed by industries that have historically been opposed to strong privacy measures, we need uniform and legally enforceable rules that companies must abide by and consumers can rely upon.” Markey expressed concern that the CPBR would also preempt certain stronger state laws that already protect consumer privacy.
In a joint statement, Reps. Frank Pallone (D-NJ) and Jan Schakowsky (D-IL), ranking members of the House Energy and Commerce Committee and the Committee’s Commerce, Manufacturing and Trade Subcommittee, respectively, said the new bill could move consumer privacy protection backward. They specifically point out four major concerns with the legislation, including “flawed” self-regulatory practices that would be allowed to continue, the preemption of stronger state laws, an 18-month exemption for new companies and caps on penalties for bad actors.
Pallone and Schakowsky did applaud a last-minute change from an earlier draft that "would have moved telecommunications carriers and cable companies from the privacy regime regulated and enforced by the FCC (Federal Communications Commission) to a self-regulatory system within the FTC's purview." They said such a provision would have weakened privacy rules created by last week's net neutrality order by the FCC.
Tech companies, on the other hand, said the bill goes too far and would place burdensome regulations on industry. Internet Association CEO Michael Beckerman said the bill “casts a needlessly imprecise net,” while Consumer Electronics Association CEO Gary Shapiro argued the bill “could hurt American innovation and choke off potentially useful services and products.”
Privacy advocates also joined the growing chorus of concerns with the bill, saying the FTC is not granted appropriate authority in the new framework. Center for Digital Democracy Executive Director Jeffrey Chester said the bill “fails to give the FTC, the country’s key privacy regulator, ‘rule-making’ authority to craft reasonable safeguards and actually empowers the companies that now harvest our mobile, social, location, financial and health data, leaving them little to fear from regulators.”
Consumer Watchdog’s John M. Simpson said, “The bill envisions a process where industry will dominate in developing codes of conduct” and that it “is full of loopholes and gives consumers no meaningful control of their data.”
The FPF’s Polonetsky and Wolf are optimistic, however, about the precedent set by the bill.
“The impact of the bill is not likely to be legislative,” they conceded, “but the ideas it raises will have impact on the privacy debate.” They note that the CPBR highlights the importance of context in data use, risk-benefit analysis and the consideration of privacy review boards, all important aspects to advance consumer protection.
If you want to comment on this post, you need to login.