Administration Releases Discussion Draft for Consumer Privacy Bill of Rights

By David Bruggeman
March 2, 2015

On February 27 the Obama Administration released its discussion draft for a Consumer Privacy Bill of Rights.  The Administration released a framework for a Consumer Privacy Bill of Rights in 2012, calling on Congress to enact it into law.

The Administration’s proposal includes the proposed Privacy Bill of Rights as well as enforcement provisions, a description of codes of conduct that would help implement the Privacy Bill of Rights, and other provisions.

The Privacy Bill of Rights would require covered entities to:

  • Provide individuals notice of the entity’s privacy and security policies, including changes to those policies.
  • Provide individuals with reasonable means to control the processing of information about them, consistent with context.
  • Conduct a privacy risk analysis for any processing of personal data that is not consistent with context.  Such analysis would serve to mitigate privacy risks.
  • Any privacy risk analysis would require either supervision by a Privacy Review Board approved by the FTC or heightened individual control and transparency connected to the underlying data processing.
  • Destroy, de-identify or delete personal data within a reasonable time after it was used for the purpose(s) for which it was collected.  Exceptions would be granted if a privacy risk analysis or heightened individual control and transparency were in place.
  • Provide reasonable security safeguards for collected personal data.
  • On request from an individual, provide access to the collected information on that person or an accurate representation of that information.

The enforcement mechanisms for the Privacy Bill of Rights are the Federal Trade Commission (FTC) and states’ attorneys general.  The FTC could enforce violations of this law as unfair or deceptive trade practices.  A state’s attorney general could initiative a civil action if he or she believes a company has caused harm to a substantial number of that state’s citizens.  The FTC must be notified before any state action is initiated.

Companies can find safe harbor from this act by complying with codes of conduct approved by the FTC that were developed by an open multistakeholder process.