Data Protection Report - Norton Rose Fulbright

Late afternoon last Friday, the White House released its draft Consumer Privacy Bill of Rights Act (the “Act”).  This follows on the heels on the President’s announcement of cybersecurity as a top priority of the administration, which foreshadowed the release of the Act and included other initiatives, including one for a single national breach notification standard.  It also comes at a time when consumers may be feeling particularly interested in addressing cybersecurity threats, given healthcare insurer Anthem Inc.’s data breach and Sony Pictures Entertainment’s hack in November.

What Does the Act Govern?

The Act was originally articulated by the Administration in 2012, and the Act tracks the language used by the Administration in 2012.  The stated purpose of the Act is “[t]o establish baseline protections for individual privacy in the commercial arena and to foster timely, flexible implementations of these protections through enforceable codes of conduct developed by diverse stakeholders.”

Specifically, the Act enumerates the following general principles:

  • Transparency: Covered entities must provide notice about the entity’s privacy and security practices.  The notice must be easily understandable, accurate, timely, conspicuous, and conveniently accessible and must provide individual’s with a company contact to address privacy concerns.
  • Individual Control: Covered entities must provide individuals with “reasonable means to control” the process of their data.  Individuals must be able to understand how to use the control mechanisms and must be able to withdraw consent that is reasonably comparable to the means used to grant consent.  Once consent has been withdrawn, the covered entity must delete the data with 45 days.
  • Focused Collection and Responsible Use: Covered entities must collect, retain, and use personal data in a manner that is reasonable in light of context and must minimize privacy risk (i.e., the potential for the data to cause harm to an individual) when determining its collection, retention, and use practices.  Context is defined in the Act by reference to several factors including the extent and frequency of interactions between individuals and the entity, a user’s understanding about how the entity processes collected data, and the types of personal data processed.  Responsible use includes the data minimization principle of deleting, destroying, or de-identifying personal data after it has fulfilled its business purpose.
  • Respect for Context: Covered entities who are not in accordance with the Act and are not using personal data reasonably in light of context must mitigate privacy risks by, inter alia, providing heightened transparency and individual control, absent limited exceptions.
  • Security: Covered entities must identify risks to the privacy and security of personal data, establish, implement, and maintain safeguards to ensure the security of personal data, and regularly assess, and if necessary adjust, those safeguards.  The reasonableness of the safeguards adopted will be determined by reference to the privacy risk of the data, the foreseeability of threats, widely accepted industry practices, and the cost of the safeguards.
  • Access and Accuracy: Covered entities must provide reasonable access to or a representation of the personal data under their control and must establish, implement, and maintain procedures to ensure such personal data is accurate.  Reasonableness considerations include the privacy risk, the risk of adverse action against the individual if the data is inaccurate, and the cost of providing access or ensuring accuracy.  Covered entities must also provide individuals with means to dispute and resolve the accuracy and completeness of the personal data.
  • Accountability: Covered entities must ensure compliance with the Act through training of their employees, internal or independent evaluations or audits, incorporating privacy and data protection into their systems and practices, and binding third parties to which personal data is disclosed to use that data “consistently with the covered entity’s commitments.”

Who Is Affected?

The Act broadly defines a “covered entity” to include any “person that collects, creates, processes, retains, uses, or discloses personal data in or affecting interstate commerce.”  Personal data itself is broadly defined as any non-publicly available data under the covered entity’s control that is linked or can be linked to an individual or a device associated with an individual.

The Act excludes from its grasp companies with limited personal data use, including companies with 5 or fewer employees, companies that collect, create, process, use, retain, and disclose the personal data of fewer than 10,000 individuals over a 12-month period, and companies that have fewer than 25 employees and only process data related to their employees or job applicants.

What Are the Remedies for Noncompliance?

The Act gives enforcement powers to the Federal Trade Commission (“FTC”) and to state attorneys general to seek injunctive relief.  The FTC would also be able to levy a civil penalty up to, in some circumstances, $25 million.  Should the Act be enacted, it would preempt any state or local statutes, regulations, or rules addressing personal data processing, not including breach notification requirements and laws that address the processing of health or financial information.

Finally, the Act includes safe harbor protection and protects covered entities who have “maintained a public commitment to adhere to a [FTC]-approved code of conduct that covers the practices that underlie the suit or action and is in compliance with such code of conduct.”


On both the company and consumer side, the Administration’s draft legislation was met with apprehension.  The response of the Information Technology Industry Council (“ITI”), whose member companies include Google, Apple, Microsoft, and Oracle, focused on the need for all stakeholders to participate in the implementation of any framework regarding privacy practices.  The ITI stated that it “plans to engage with policymakers and lawmakers to provide our input.”

And representatives from privacy and technology groups including the Center for Democracy and Technology, Center for Digital Democracy, and Consumer Watchdog, sent a letter today to President Obama detailing what it believes are shortcomings in the draft legislation.  These include inadequately defining sensitive information, inadequately providing the FTC with resources, failing to protect large categories of personal information, and preventing private citizens and state attorneys general from “taking meaningful action to protect privacy.”  This letter also criticized the lack of consultation with the organizations signing the letter.

These early responses indicate that this hotly contested legislation will likely not find consensus in the near future.