Proposed Consumer Privacy Bill of Rights Gets Mixed Reviews
The White House on Friday debuted its proposed Consumer Privacy Bill of Rights Act, which would provide additional statutory protection for sensitive consumer information like Social Security numbers and mandate that holders of such information have to provide consumers with notice about privacy and security practices.
As predicated, no one is happy. MediaPost reports that advocacy groups on both the pro-privacy and anti-privacy sides voiced their opposition.
Advertisers Hate It
On the "anti-privacy" side is the Association of National Advertisers, a marketing and advertising trade group. ANA generally derided the proposal without saying a single concrete thing about why the proposal was "a major step in the wrong direction." Instead, it suggested that Congress should instead focus on "the creation of a national data breach notice and data security regime," which it's already doing.
The ANA probably doesn't want to tell you that the bill would impact advertisers' ability to keep detailed records on individual people and advertise at them more effectively. Under the law, consumers would be entitled to know what information advertisers are keeping about them and be given the meaningful ability to withdraw their consent to use that information.
So the proposed bill basically undermines advertising in the 21st century, which is predicated on amassing a comprehensive record on an individual consumer. Give the consumer the ability to see that record or get rid of it altogether, and you've got a problem -- for advertisers.
Privacy Advocates Hate It Too
On the other side, privacy advocates think the bill doesn't go far enough in actually protecting privacy. The Center for Democracy and Technology cautions that the bill's protections "are predicated on a risk of harm." Rather than assert that consumers have a right to data, period, the legislation designates for regulation only those data that pose a privacy risk.
In CDT's opinion, the bill's narrow definition of privacy risk would exempt "many if not most data sets -- such as information collected for marketing purposes." Consumers should know what advertisers have on them, whether or not exposure of the data would "cause emotional distress, or physical, financial, professional or other harm to an individual."
Will Anyone Ever Be Happy?
So what's to like about the bill? Well, for one thing, it isn't limited just to explicitly identifiable information. It also covers information that's linked to identifiable information. A cell phone device ID can't identify you individually, but it is linked to other information that can so be used.
The bill also contains enforcement mechanisms, but CDT says those aren't enough, as a damage calculation is made "not by the number of affected individuals, but by the number of days during which a violation occurs." Enforcement power would lie exclusively with the FTC -- no more state attorneys general, and no more individual citizen lawsuits.
The bill is "an important step along the way" toward meaningful privacy regulations, but it needs a bit more oomph first.
Related Resources:
- White House Releases Draft of Consumer Privacy Bill (The Verge)
- White House Proposes Broad Consumer Data Privacy Bill (The New York Times)
- AT&T to Offer Fiber-Optic Internet Service at a (Faustian) Bargain (FindLaw's Technologist)
- Congress Tries to Make Technology Law Better With 5 New Bills (FindLaw's Technologist)