The Obama administration's recently unveiled Consumer Privacy Bill of Rights Act of 2015 has a long road to become...
law, but experts think it is a good first step and should make it easier for most enterprises to comply with a single federal law than many differing state laws.
The Consumer Privacy Bill of Rights has been in the works for two years, and is getting an official push by the Obama administration as a companion to the Data Security and Breach Notification Act of 2015, which would require organizations to disclose data breaches in a timely manner in order to help mitigate risks of identity theft for consumers.
Holding enterprises to a higher data privacy standard
According to the administration, the stated aim of the Privacy Bill of Rights, officially unveiled last month, is to provide "a baseline of clear protections for consumers and greater certainty for businesses," while fostering more transparency about data collected, using data only in the context with which it was given, securely handling data, allowing consumers access to said data, maintaining reasonable limits on what data is collected, and holding organizations accountable for failing to follow these rules.
Christos Veltsospresident, Prudent Security
Many references in the bill touch on the aim of improving trust between enterprises and customers, and experts say that the proposed bill should be successful in doing just that.
"The proposed Consumer Privacy Bill of Rights holds the potential to help not only consumers, but businesses as well," said Sarah Cortes, a privacy researcher at Northeastern University in Boston. "In today's global marketplace, consumers outside the U.S. form a huge and growing market. Establishing that U.S. enterprises must meet a high regulatory standard in consumer privacy provides a competitive advantage for U.S. companies."
The global scope of the bill was echoed by Christos Veltsos, associate professor at Minnesota State University in Mankato, who noted that many organizations compete in a global marketplace right now, and the United States needs to have a national standard for privacy that can compare to laws in other countries.
"We can't keep going with 47 different state data breach laws," Veltsos said. "We're living in a global world and many other countries have stronger privacy laws. This is aimed at bringing us in alignment with the rest of the globe, and we need to tip the scales back in our favor in terms of being competitive on a global scale."
While Veltsos believes that the U.S. needs a single national privacy law, he did note that the current proposal is not likely to be the final form of the bill. He said that the proposal is something like a version "0.7 or 0.8 -- almost ready for prime time," and that he actually hopes it doesn't pass in its current form.
One specific provision that Veltsos said appears ripe for abuse is the "safe harbor" clause, which is designed to allow companies to self-certify that they comply with the requirements of the bill.
"Somebody that may not be properly qualified could apply and potentially be given certification to administer the safe harbor codes of conduct," Veltsos said. "You could have 100 of those certified entities and 99 do a great job, but one that's just a pass-through entity."
One of the controversial aspects of the proposed law is that it would supersede the various state and municipal laws that exist around the country. According to Veltsos' reading of the preemption section of the law, the proposed bill would supersede any state laws that specifically deal with privacy, but may not cover privacy provisions that are found in bigger state laws.
Veltsos said that the proposed Bill of Rights could ultimately weaken some existing laws, including those in California and Massachusetts, but he said that is an unfortunate side effect of getting a national law passed.
"It's difficult to find the leverage to pass a bill like this that will raise the bar in most states," Veltsos said. "You can't push too hard and try to raise the bar everywhere or else it won't pass, so there will be cases where laws get watered down."
Privacy Bill of Rights compliance implications
Veltsos and Cortes agreed that it would be much easier for national companies to deal with one federal law rather than multiple state laws, especially because the bill draws on existing practices and regulations in order to make the transition easier for enterprises.
"It follows FIPPS [fair information practice principles], so it is consistent with what businesses have been implementing all along," Cortes said. "It is codifying many existing laws, like the third-party doctrine, which holds that customary records help by third parties are already disclosed."
According to Veltsos, it should also be relatively easy for public companies currently subject to HIPAA or SOX compliance to map existing practices to the Privacy Bill of Rights should it become law, but he noted that issues could arise for privately held enterprises.
"If a company has no basis for a security audit checklist, it could potentially take at least two years to achieve compliance," Veltsos said. "The bill in its current form does not have a provision to ask for an extension if a company can't get to compliance in the stated 12-month time frame."
However, because this bill would preempt existing state and municipal laws in many cases, Cortes noted that there might be an unintended benefit for businesses in that it would prevent municipalities from passing privacy laws designed to shake down companies for data breach penalties.
Cortes also noted that the bill would help to protect enterprises from spurious lawsuits relating to deleted data, which is exempt in the proposed bill. Cortes said that where the bill has been most criticized is where it has exceptions like this, but said that she saw those as a recognition that there is a need for leeway in business. Veltsos wanted that leeway tightened a bit.
"I would have liked to see something about securely deleted data," Veltsos said. "The problem is that deleted data isn't really deleted. Malware can find it, because the system may have marked it as deleted, but it is still on the drive."
Observers believe the bill has a long way to go if it is to become law, especially with the 2016 election cycle already looming. When it was first announced, the bill was criticized by privacy groups for the various exceptions to data collection rules, and for being too vague in certain areas, such as not specifying the mechanism by which consumers would be able to dispute and correct the accuracy of personal data. Critics have also said that the bill would weaken the unfair trade practice authority of the FTC by giving only 90 days to review a code of conduct.
Ultimately, while there are items that need to be ironed out, both experts see this bill as a step in the right direction with respect to establishing a national privacy law that sets the standard for the U.S. in the global market.
"In general, I think the bill is very good for enterprise, and has the potential to help consumers and businesses," Cortes said. "The law stands to fundamentally improve consumer trust, which will make users more willing to use online businesses."
Learn how to build an effective corporate privacy compliance program.