March 2015

Late afternoon last Friday, the White House released its draft Consumer Privacy Bill of Rights Act (the “Act”).  This follows on the heels on the President’s announcement of cybersecurity as a top priority of the administration, which foreshadowed the release of the Act and included other initiatives, including one for a single national breach notification standard.  It also comes at a time when consumers may be feeling particularly interested in addressing cybersecurity threats, given healthcare insurer Anthem Inc.’s data breach and Sony Pictures Entertainment’s hack in November.

What Does the Act Govern?

The Act was originally articulated by the Administration in 2012, and the Act tracks the language used by the Administration in 2012.  The stated purpose of the Act is “[t]o establish baseline protections for individual privacy in the commercial arena and to foster timely, flexible implementations of these protections through enforceable codes of conduct developed by diverse stakeholders.”

Specifically, the Act enumerates the following general principles:

  • Transparency: Covered entities must provide notice about the entity’s privacy and security practices.  The notice must be easily understandable, accurate, timely, conspicuous, and conveniently accessible and must provide individual’s with a company contact to address privacy concerns.
  • Individual Control: Covered entities must provide individuals with “reasonable means to control” the process of their data.  Individuals must be able to understand how to use the control mechanisms and must be able to withdraw consent that is reasonably comparable to the means used to grant consent.  Once consent has been withdrawn, the covered entity must delete the data with 45 days.
  • Focused Collection and Responsible Use: Covered entities must collect, retain, and use personal data in a manner that is reasonable in light of context and must minimize privacy risk (i.e., the potential for the data to cause harm to an individual) when determining its collection, retention, and use practices.  Context is defined in the Act by reference to several factors including the extent and frequency of interactions between individuals and the entity, a user’s understanding about how the entity processes collected data, and the types of personal data processed.  Responsible use includes the data minimization principle of deleting, destroying, or de-identifying personal data after it has fulfilled its business purpose.
  • Respect for Context: Covered entities who are not in accordance with the Act and are not using personal data reasonably in light of context must mitigate privacy risks by, inter alia, providing heightened transparency and individual control, absent limited exceptions.
  • Security: Covered entities must identify risks to the privacy and security of personal data, establish, implement, and maintain safeguards to ensure the security of personal data, and regularly assess, and if necessary adjust, those safeguards.  The reasonableness of the safeguards adopted will be determined by reference to the privacy risk of the data, the foreseeability of threats, widely accepted industry practices, and the cost of the safeguards.
  • Access and Accuracy: Covered entities must provide reasonable access to or a representation of the personal data under their control and must establish, implement, and maintain procedures to ensure such personal data is accurate.  Reasonableness considerations include the privacy risk, the risk of adverse action against the individual if the data is inaccurate, and the cost of providing access or ensuring accuracy.  Covered entities must also provide individuals with means to dispute and resolve the accuracy and completeness of the personal data.
  • Accountability: Covered entities must ensure compliance with the Act through training of their employees, internal or independent evaluations or audits, incorporating privacy and data protection into their systems and practices, and binding third parties to which personal data is disclosed to use that data “consistently with the covered entity’s commitments.”