As expected, the White House Friday released the discussion draft of its proposed bill to put some legislative muscle behind the Administration's privacy bill of rights.
Marketers and others handling digital data argued the bill went too far, while the other side argued that the bill relied too much on self-regulation and codes of conduct.
As expected the bill no longer has a provision that would have potentially weakened the FCC's authority over cable customer personal information by moving enforcement to a code of conduct regime enforced by the Federal Trade Commission.
But the primary focus of the legislation is tailoring privacy protections, stronger codes of conduct for applications that collect a lot of location information over a long period of time but lesser for ones just identifying the nearest Starbucks. It also emphasizes that voluntary codes of conduct, that must be approved by the FTC, can provide a safe harbor from the legislation's requirements.
The President, in talking about protecting privacy in advance of the State of the Union address, signaled the bill was coming.
The White House last month billed it as the next steps in a comprehensive approach to online privacy and security, pointing to a study that showed that 9 of 10 Americans feel they have lost control of their personal information, which could discourage them from taking advantage of technological innovation and adversely impact the economy, the White House says.
The bill does not give the FCC substantive rulemaking authority to impose further rules, but it would be empowered to enforce the privacy bill of rights, including with civil fining authority. The bill also prempts overlapping state privacy laws and, unusually, applies to nonprofits as well as commercial data collectors. The bill has some small business exceptions, and the FTC is empowered to exempt other categories if it makes sense.
The White House has been suggesting there needed to be buttressing legislation since it came out with the bill of rights' seven privacy principles in 2012.
Calling it the first step in a dialog with stakeholders–it is a draft after all—the White House outlined the bill this way:
This legislation would provide consumers with clear rights to exercise individual control over data, including to:
• Understand How Data Will Be Used — with up-front, plain-language notices telling consumers how their information will be collected, used, and shared.
• See and Correct Data Held by a Company – to provide consumers with a better understanding of the data companies store and process concerning consumers, as well as the opportunity to correct inaccurate information.
• Keep Data in the Proper Context — to ensure that sensitive data provided for one purpose is not then reused or resold in ways that would cause surprise and concern.
• Remove their Data — to ensure consumers who want to cancel their accounts or remove their data have the opportunity to do so.
While allowing our entrepreneurs and companies to:
• Understand Privacy Risk — with important definitions of the kinds of harms for which companies should be on the lookout, and take steps to prevent.
• Focus Collection of Data — by not collecting unnecessary, sensitive data that, when stored, could create risks for companies’ security, bottom line, and the trust of their users.
• Develop Codes of Conduct Specific to their Industry — to provide more tailored best practices for particular business sectors, that when approved by the Federal Trade Commission, would provide safe harbors for responsible use of data.
• Prepare and Use Customary Business Records – by identifying how this basic need of businesses fits into a privacy-protective framework.
This discussion draft builds on the United States’ tradition of strong privacy enforcement, empowering the Federal Trade Commission and state attorneys general to monitor and enforce its provisions. At the same time, it recognizes the dynamic nature of the information economy by:
• Preserving Data Innovation — making clear that companies can still use collected data for customary business purposes, and to protect consumers, respond to their preferences, and improve services.
• Protecting Small Businesses — ensuring that startups, companies with minimal data holdings, and those with little to no impact on consumer privacy do not face unnecessary new burdens.
• Anticipating Changes in Technology — allowing the Federal Trade Commission to dynamically interpret the definition of “context,” and adjust the range of covered entities, to account for emerging technologies and business practices.