The Obama administration is releasing a draft of legislation that would make it easier for consumers to see or remove the personal data that companies keep. Today, the White House announced that it was releasing a draft based on the principles of the Consumer Privacy Bill of Rights, which was first released in 2012. Consumer privacy is one of several internet-related issues that Obama promised to address in his State of the Union address, and he previously released a fact sheet outlining both this and other proposed changes.
The Consumer Privacy Bill of Rights Act of 2015 would address the large amounts of data that companies can collect from customers — whether it's used internally, analyzed by advertisers, or sold to a third-party aggregator. It would require companies to provide "concise and easily understandable" explanations of how data will be used, as well as options for customers to see, correct, or remove information.
Companies have to create "easily understandable" data use policies
Specifically, this covers information like names, addresses, social security or passport numbers, fingerprints, or credit card numbers; it does not cover "de-anonymized" data that theoretically couldn't be traced back to a specific person, or information involved in identifying a cybersecurity problem, as long as companies make "reasonable efforts" to remove identifying information. Companies have to make clear what information is collected, who it will be shared with, when and if it will be destroyed, how it's kept secure, and how customers can see or remove it.
Companies are also required to take "reasonable steps" to mitigate privacy risks and make them clear to users, and the FTC will need to establish rules for privacy reviews. If a company violates the terms of the act, it's subject to lawsuits from the FTC, users, and state attorneys general. The bill creates exemptions for small operators, including people who process data for 10,000 or fewer people a year or have no more than five employees, which the White House says can ease the burden for small businesses.
It's already sometimes possible to find out what information companies have collected. California's "Shine the Light" law, for example, requires companies to reveal what information they've sold to third-party marketing companies. Companies like Facebook have also attempted to make their privacy policies more readable in light of the tremendous amount of information it holds.
The bill assumes "a world where all of our data is collected about us, all of the time."
Alvaro Bedoya, director of the Center on Privacy and Technology at Georgetown's law school, worries that Obama's bill could actually preempt state laws, in favor of letting companies collect what they want as long as they maintained some level of transparency. He cites rules in Illinois and Texas that ban companies from collecting biometric information without permission. "This bill would erase those protections without offering any clear replacement," he writes, adding that it "seems to assume a world where all of our data is collected about us, all of the time."
He's not alone. Nonprofit Consumer Watchdog calls the bill "full of loopholes" and said it "envisions a process where industry will dominate in developing codes of conduct." The Center for Digital Democracy says it relies too much on companies' judgment to decide whether information is sensitive and how it should be managed, limiting the FTC's power. "Although the president's Privacy Bill of Rights promised transparency and control, it creates a labyrinth-like process that consumers must navigate before they can actually access and correct their own data records held by companies," says a statement. And the Center for Democracy and Technology says it "falls short on the privacy protections needed in today's digital world."
Ultimately, Bedoya hopes whatever reaches Congress will be more specific and authoritative, opening the door to meaningful reform. Obama, meanwhile, will continue pushing on other fronts — earlier this month, he introduced a cybersecurity executive order, one more in a long and dubious series of attempts to create rules governing breaches like last year's Sony hack.
Update February 27th, 5:00pm: Added statements from Consumer Watchdog, the Center for Digital Democracy, and the Center for Democracy and Technology.