Late last month, the White House issued its consumer data privacy framework entitled, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” The Administration’s privacy framework was announced as an attempt to provide a clear set of basic privacy principles to address consumer data privacy issues that arise with technology advancements in a commercial setting. As privacy legislation is debated in Congress, the White House outlines its views on privacy rights that every American consumer should enjoy and urges Congress to pass legislation that incorporates the” Consumer Privacy Bill of Rights” included in the framework. This framework provides clarity and certainty regarding the consumer data privacy protections required of businesses. Further, the Administration calls for all relevant stakeholders—companies, privacy and consumer advocates, State AGs, law enforcement, academics, and international partners—to develop enforceable codes of conduct implementing the Consumer Bill of Rights.
• Scope: The Administration seeks legislation that would apply the Consumer Privacy Bill of Rights requirements on all sectors not currently subject to existing privacy laws.
• Consumer Privacy Bill of Rights: The proposed Consumer Privacy Bill of Rights provides individual rights and corresponding business obligations to protect consumers’ personal data based on globally recognized Fair Information Practice Principles, including: (1) individual control over collection of data, (2) transparency regarding companies’ privacy policies and practices, (3) an expectation that companies will collect, use, and disclose personal data consistent with the context in which consumers provide their data, (4) secure handling of consumers’ data, (5) the ability access and correct personal data, (6) reasonable limits on data collected, and (7) measure to ensure accountability to follow Consumer Privacy Bill of Rights.
• Privacy Legislation: The Administration urges Congress to pass consumer data privacy legislation that would: (1) codify the Consumer Privacy Bill of Rights, (2) grant the FTC direct enforcement authority, (3) provide legal certainty through a safe harbor from enforcement to companies that have adopted and follow an FTC-approved code of conduct, (4) preempt state laws that are inconsistent with the Consumer Privacy Bill of Rights, (5) preserve existing sector-specific federal privacy laws to avoid creating duplicative regulatory burdens, and (6) create a national standard for security breach notification to consumers when unauthorized disclosures of certain personal data have occurred.
• Enforceable Codes of Conduct: The Administration calls for a multi-stakeholder process to develop enforceable codes of conduct adopting the Consumer Privacy Bill of Rights. Incentives to businesses to participate include building consumer trust and consideration of a company’s adherence to a code will be treated favorably by the FTC in any privacy enforcement action.
• FTC Enforcement: Companies that affirmatively adopt enforceable codes of conduct would be subject to FTC jurisdiction and responsible for acting consistent with publicly stated privacy policies. The FTC would continue to enforce consumer data privacy rights through its authority under Section 5 of the FTC Act to prohibit unfair or deceptive acts of practices, pending enactment of federal consumer privacy legislation.
• Global Interoperability: The framework encourages engagement between the U.S. government and international partners to pursue mutual recognition of consumer data privacy frameworks, international participation in Codes of Conduct development, and enforcement cooperation in an effort to achieve global interoperability between privacy regimes.