Late last week, President Obama released a “discussion draft” of the Administration’s long awaited Consumer Privacy Bill of Rights Act. At first blush, the results are a mixed bag: some good, some not so good, much work among stakeholders left to be done.
It didn’t take long for consumer advocates, and even one FTC Commissioner, to say the draft legislation doesn’t go far enough. The Internet has been rife with posts this week about the bill’s problems and shortcomings. In summary, for most, the bill landed like a lead balloon.
Still, the Administration released the bill as a “discussion draft”—signaling the draft legislation is a just a step and an invitation for further conversation. For a measured perspective considering the bill through this lens, read former Obama Administration official Nicole Wong’s thoughtful article.
While it’s certainly far from perfect, my take is that the bill isn’t all bad. Here are just a few initial pros and cons to the bill that I’ve identified (in no particular order):
- Pro: many principles are based on fair information practices familiar from existing federal statutes, flexibility and consideration of measures that are reasonable in context, availability of safe harbor protections, exceptions for de-identified data, delayed enforcement to allow parties time to adjust to the law’s requirements.
- Con: loosely defined requirements, definitional uncertainty, preemption and enforcement concerns.
One item of note is that the security provisions in Section 105 (a) codify, at a very high level of generality, some of the principles that we’ve been advising our clients about: for example, taking steps to identify internal and external risks to privacy and security of personal data and implementing and regularly assessing safeguards to control risks. (Of course, it’s a separate thing all together to have recommendations take on the force of law.)
In the end, it may have been inevitable that this bill would be a disappointment to some. After all, the public has been waiting on it since 2012. During that time, there have been many, many high-profile breaches of consumer information. The appetite for more privacy and security protections has only grown over time. But it will take a delicate balance to provide desired protections while at the same time making legal requirements workable for both consumers and the businesses offering products and services consumers want.
To be sure, there will be more to come from the Consumer Privacy Bill of Rights—stay tuned.