The White House's proposed privacy bill of rights, which dropped late Friday afternoon, is leaving just about everyone unhappy. Some privacy advocates immediately said the bill doesn't go far enough, while industry representatives quickly said the bill was unnecessary.
By today, the bill had drawn a new round of criticism. This morning, the Association of National Advertisers called the proposed measure “a major step in the wrong direction,” and added that it will “divert attention and energy from critical data security legislation and will not materially aid the privacy debate.”
The trade group adds that any legislation should focus on data breaches, which “threaten consumers’ credit and pocketbooks and they are an annual drag on our economy of tens of billions of dollars.”
Specifically, the ANA wants lawmakers to pass a federal data-breach notification law that will preempt the “more than 47 inconsistent and conflicting state data breach and data security laws.”
Meanwhile, 14 advocacy groups said in a letter dated today that the bill requires “substantial changes” in order to “protect Americans’ right to privacy.”
“The bill should provide individuals with more meaningful and enforceable control over the collection, use and sharing of their personal information,” states the letter, which was signed by groups including the Center for Digital Democracy, Center for Democracy and Technology, Consumer Watchdog and the Electronic Frontier Foundation. “The bill should uphold state privacy laws and afford stronger regulatory and enforcement authority to the Federal Trade Commission.”
The White House's proposed “Consumer Privacy Bill of Rights Act of 2015” aims to implement fair information practice principles, which generally limit companies' ability to collect and use people's personal data.
The draft bill would require companies that collect data from consumers to notify people about the information gathered, and allow them to wield limited control over that data. Among other provisions, the proposed “bill of rights” requires companies to give consumers “reasonable means to control the processing of personal data about them in proportion to the privacy risk to the individual and consistent with context.”
The proposal also broadly directs companies to limit data collection and use to “a manner that is reasonable in light of context” — like fulfilling a consumer's request for a service. At the same time, the measure allows companies to use data even in ways that are “not reasonable in light of context” if they go through certain hoops, like conducting a “privacy risk analysis.”
The proposal empowers the Federal Trade Commission to bring enforcement actions against companies that violate the privacy rules, while also giving companies a “safe harbor” defense if they participate in a self-regulatory program approved by the FTC.
Advocacy groups that signed a letter criticizing the bill point out specific areas where they say it falls short. One of the most significant is that many provisions only apply if companies believe that data they hold about consumers could pose a “risk of harm” to them.
Sen. Al Franken (D-Minn.), one of the more vocal privacy advocates on Capitol Hill, also officially joined the ranks of critics this week. “I have concerns that his proposal lacks the necessary teeth to hold companies accountable for their privacy policies and to ensure robust protections for consumers’ information,” he said in a statement issued on Monday. “The President’s proposal, unfortunately, … takes control away from consumers and puts it back in the hands of companies.”