TO / IAB / DATE / March 2, 2015
FROM / Venable LLP / EMAIL /
PHONE / 202.344.4613
RE / Summary of the White House’s Consumer Privacy Bill of Rights Act Legislative Proposal

On February 27, 2015, the Administration released a discussion draft of the Consumer Privacy Bill of Rights Act of 2015, its legislative proposal that would enshrine elements of the Administration’s 2012 Consumer Privacy Bill of Rights into law. The proposal addresses the collection, sharing, and use of personal data by covered entities, individual access to and control of personal data, and the security measures that covered entities must adopt to protect personal data. It also would develop a safe harbor through enforceable codes of conduct.

We provide a summary of the Administration’s proposal below.

Definitions (Sec. 4)

Sec. 4(a). “Personal Data” is defined as any nonpublic data under the control of a covered entity and are linked or linkable by the covered entity to a specific individual or to a device that is associated with or routinely used by an individual, including but not limited to:

  • First name (or initial) and last name;
  • Postal or email address;
  • Telephone or fax number;
  • Social security number, tax identification number, passport number, driver’s license number, or any other unique government-issued identification number;
  • Any biometric identifier;
  • Any unique persistent identifier, including a number or alphanumeric string that uniquely identifies a networked device, commercially issued identification numbers and service account numbers, unique vehicle identifiers, or any required security code, access code, or password;
  • Unique identifiers or other uniquely assigned or descriptive information about personal computing or communication devices; or
  • Any data that are collected, created, processed, used, disclosed, stored, or maintained and that are linked or are linkable by the covered entity to any of the foregoing.

Exceptions. The proposal identifies four exceptions to the definition of Personal data: (1) de-identified data; (2) deleted data; (3) employee information; and (4) cybersecurity data. The proposal defines de-identified data as data that a covered entity has:

  • Altered such that there is a reasonable basis for expecting that the data cannot be linked to a specific individual or device;
  • Publicly committednot to attempt to link to an individual or device;
  • Contractually prohibited third parties to which the covered entity discloses such data from attempting to link the data with an individual or device; and
  • Contractually requiredthird parties to which the covered entity discloses such data to publicly commit to not attempt to link such data to a specific individual or device.

The proposal further provides that “personal data” does not include an employee’s name, title, business address, business email address, business telephone number, business fax number, or any public licenses or records associated with the employment, when such information is collected or used by the employee’s employer or another covered entity, in connection with such employment status. The proposal also excludes from the definition of “personal data” information that is necessary to investigate, mitigate, or otherwise respond to cybersecurity threats or incidents, when processed for those purposes.

Sec. 4(b). “Covered entity” is defined as any person that collects, creates, processes, retains, uses, or discloses personal data in or affecting interstate commerce.

Exceptions. “Covered entity” does not include:

  • The Federal Government, the government of any State or Indian Tribe, or any political subdivision, department, agency, or instrumentality thereof;
  • Any employee, officer, agent, contractor, or organization working on behalf of the Federal Government, or the government of any State or Indian Tribe, when processing data on behalf of such governmental entity;
  • A natural person not acting in a commercial capacity;
  • Certain smaller entities that engage in minimal data processing; and
  • A person that collects, creates, processes, uses, retains, or discloses personal data needed to conduct research relating directly to security threats or vulnerabilities.

Sec. 4(k). “Context” means the circumstances surrounding a covered entity’s processing of personal data, including the following:

  • The relationship between the covered entity and the subject of the data,;
  • The consumer’s understanding of the covered entity’s information practices;
  • The covered entity’s understanding of the consumer’s privacy preferences;
  • The reasonable expectations of consumers regarding the types of personal data that is usually processed to provide the requested good or service;
  • The consumer’s age and sophistication;and
  • The covered entity’s efforts to obscure data about consumers.

Sec. 4(n). The proposal defines “enumerated exceptions” as:

  • Preventing or detecting fraud;
  • Preventing or detecting child exploitation or serious violent crime;
  • Protecting the security of devices, networks, or facilities;
  • Protecting the rights or property of the covered entity or, upon consent of the customer, the covered entity’s customer;
  • Monitoring or enforcing agreements between the covered entity and an individual;
  • Processing customary business records; and
  • Complying with a legal requirement or responding to an authorized government request.

Transparency (Sec. 101)

Notice. The proposal requires that all covered entities provide individuals with easily understood, accurate, clear, timely, and conspicuous notice about its privacy and security practices. The notice must be reasonable in light of the context and the covered entity must provide convenient and reasonable access to the notice.

Contents. The proposal further provides that the notice must identify the following:

  • The types and sources of personal data the covered entity processes;
  • The purposes for which the covered entity collects, uses, and retains personal data;
  • The persons, or categories of persons, to which the covered entity discloses personal data and the purposes for which it discloses such data;
  • If and when personal data will be destroyed, deleted, or de-identified;
  • The access and consent mechanisms the covered entity provides;
  • Contact information for the individual responsible for handling inquiries or complaints concerning the covered entity’s personal data processing; and
  • The measures taken to secure personal data.

Individual Control (Sec. 102)

Control. Each covered entity must provide individuals with reasonable means to control the processing of their personal data.

Withdrawal of Consent. Each covered entity must provide individuals with reasonable means to withdraw their consent to the processing of their personal data. Upon receiving notice that an individual has withdrawn his or her consent, the covered entity must delete all personal data associated with the withdrawn consent within a reasonable time that need not be less than 45 days.

Exceptions. Covered entities do not need to provide individuals with a reasonable means to control the processing of their personal data to the extent that the collection, creation, processing, retention, use, or disclosure of personal data is for an enumerated exception.

Material Change. In the event of a material change to a practice or service that affects previously collected personal data or the ongoing collection, use, dissemination, or maintenance of personal data, a covered entity must provide individuals, in advance of the change, a clear and conspicuous description of the change and, with respect to previously collected personal data, compensating controls designed to mitigate privacy risks.

Respect for Context (Sec. 103)

Privacy Risk Management. If a covered entity processes personal data in a manner that is not reasonable in light of the context, the covered entity must conduct a privacy risk analysis and must take reasonable steps to mitigate any identified privacy risks. Such reasonable steps must include providing heightened transparency and individual control.

Exception. A covered entity is not required to provide heightened notice and individual control if the covered entity’s processing of personal data is supervised by a Privacy Review Board, and the Privacy Review Board determines that it is impractical to provide such notice and control, that the covered entity’s goals are likely to provide substantial benefits that do not exclusively accrued to the covered entity, that the covered entity has taken reasonable steps to mitigate the privacy risks associated with the analysis, and the likely benefits of the analysis outweigh the likely privacy risks.

Disparate Impact. A covered entity must perform a disparate impact analysis where it analyzes personal data in a manner that is not reasonable in light of the context and the analysis results in adverse actions concerning multiple individuals.

Focused Collection and Responsible Use (Sec. 104)

The proposal requires that covered entities collect, retain, and use personal data only in a manner that is reasonable in light of context. The proposal further requires that covered entities delete, destroy, or de-identify personal data within a reasonable time after the data is no longer needed for the purpose for which it was collected. However, the proposal does not impose such limitations on covered entities that fall within an enumerated exception, that provide heightened transparency and individual control, or that are under the supervision of a Privacy Review Board.

Security (Sec. 105)

The proposal requires that each covered entity adopt the following security practices:

(1) identification of all reasonably foreseeable internal and external risks; (2) establishment, implementation, and maintenance of reasonable safeguards; (3) regular assessments of the sufficiency of any safeguards; (4) evaluation of any safeguards in light of the regular assessments, any material changes in the business’s operations, or any other circumstances that materially impact the privacy or security of personal data.

Access and Accuracy (Sec. 106)

Access. Subject to certain limitations, the proposal requires that, upon request, each covered entity provide an individual with reasonable access to the personal data under the control of the covered entity that pertains to the individual.

Accuracy. Covered entities are required to establish procedures to ensure that the personal data under its control is accurate, except with respect to public record data and information collected directly from the individual to whom the personal data pertains.

Correction or Deletion. The proposal requires that all covered entities provide individuals with a means to dispute and resolve the accuracy or completeness of the personal data pertaining to that individual. A covered entity is not required to correct or amend disputed personal data if the covered entity uses or discloses personal data for purposes that could not reasonably result in an adverse action against an individual; however, if the covered entity refuses to correct or amend the personal data, it must delete the personal data within a reasonable period of time.

Accountability (Sec. 107)

The proposal requires that covered entities provide compliance training to employees who process personal data, that they conduct internal or independent evaluations of their privacy and data protections, and that they require any person to whom they disclose personal data to use such data consistent with the covered entity’s obligations with respect to such data.

Enforcement (Sec. 201 and Sec. 202)

Enforcement by the Federal Trade Commission. The Federal Trade Commission (“FTC”) has enforcement authority. However, the FTC must give covered entities 18 months to comply after the date when they first create or process personal data. The requirementsapply to all “persons, partnerships, and corporations” over which the FTC has authority, including non-profit organizations.

Enforcement by State Attorneys General. State attorneys general also have enforcement authority if a covered entity’s violation harms “a substantial number of that State’s residents.” Attorneys general may only seek injunctive relief, unless the FTC intervenes or prosecutes the action. Thirty days before filing a complaint, a State attorney general must provide a copy of the complaint and material evidence to the FTC. Upon receipt of the complaint and evidence, the FTC may intervene as a party, intervene as a party and prosecute the action, or allow the attorney general to proceed independently.

Civil Penalties (Sec. 203)

The proposal provides for civil penalties for violations. The maximum total penalty cannot exceed $25,000,000.

Safe Harbor Through Enforceable Codes of Conduct (Sec. 301)

Commission Review of Codes of Conduct. Any person can develop and apply for FTC approval of codes of conduct for personal data processing. Applications must include details regarding: how the code protects personal data; which entities or activities the code covers; how the code was created; the covered entities that plan to adopt the code; and any other information the FTC requires.

The FTC must provide an opportunity for public comment about any code they receive, and must publish their reasons to approving or denying each code. In order to be approved, codes must provide at least as much protection for personal data as does the proposal. Codes must be reevaluated every three to five years, but the FTC may revoke approval sooner if there is sufficient evidence that the code no longer provides adequate protection.

Non-Government Administration of Codes of Conduct. Any person can apply to be certified by the FTC to administer and enforce an approved code of conduct. Applications must show the person’s ability to “effectively and expeditiously address and resolve alleged violations” of the code. Certification lasts for up to five years, but can be revoked if the FTC determines the administrator is not effectively enforcing the code. Furthermore, certified persons must submit an annual report to the FTC.

Rulemaking. The FTC must promulgate rules establishing the procedural requirements for: codes of conduct; the administration of the codes; applications regarding approval and administration of the codes; and government agency input regarding the proposed codes.

Safe Harbor Protection. Defendants who comply with an FTC-approved code of conduct have a complete defense for alleged violations of the proposal.

Preemption (Sec. 401)

The proposal preempts State law and regulations to the extent that they “impose[] requirements on covered entities with respect to personal data processing.” However, the proposal does not affect state laws regarding consumer protection, the processing of health or financial information, breach notification requirements, or trespass, contract, or tort law.

Private Right of Action (Sec. 403)

There is no private right of action.

Application with Other Laws (Sec. 404)

Exemptions. Certain Internet intermediaries are exempt from requests from anyone other than the original “information content provider.” The law would not apply to covered entities subject to Federal privacy or security laws.

Effect on Other Federal Laws. The privacy or security provisions in an extensive list of specific federal laws are not modified, limited, or superseded.

Exceptions to the Definition of Covered Entity (Sec. 405)

The FTC may make additional exceptions to the definition of covered entities. In making this decision, the FTC must engage in a risk-based cost-benefit analysis

Effective Date (Sec. 406)

Covered entities have two years after enactment to comply.

* * *

Please let us know if you have any questions.

-1-