The recently released White House Consumer Privacy Bill of Rights discussion draft may give consumers better protections than currently available in the United States. But it has too many loopholes and weak enforcement, privacy experts say.
And even the Federal Trade Commission — which ultimately would enforce the legislation — has criticized the draft.
A fact sheet released by the White House acknowledges the need for strong consumer information protection, as more and more data on Americans is being collected and stored.
The White House said the draft — created with input from various consumer advocacy and private industry groups — “applies common-sense protection to personal data collected online and offline” and “promotes responsible practices” while minimizing the risks.
One of the major provisions of the legislation is transparency. It requires both for-profit and nonprofit entities to disclose their privacy and security practices in “concise and easily understood language.”
That would include the type of data collected, along with its source, as well as the reason the data is collected and used, when it’s destroyed or “de-identified,” and how it is being secured.
Individuals also would have a way to access their personal information as well as grant, refuse or revoke access.
Other provisions include:
– A requirement to identify risks to privacy and security, and to establish safeguards to protect the data;
– The ability of consumers to withdraw consent, leading to the deletion of associated personal data;
– A civil penalty of no more than $35,000 a day for the duration of any violation period, or up to $5,000 per affected consumer, with a cap on the maximum penalties at $25 million.
Among the bill’s biggest issues are the fact that many definitions and provisions are broad, and predicated on “context” and the privacy risk the data poses.
“This is one of the vaguer bills I’ve seen. As a company, I wouldn’t know how to implement it,” said Justin Brookman, director of the Consumer Privacy Project at the Center for Democracy and Technology.
In its analysis of the draft bill, the CDT noted that using the narrow formulation of “privacy risk” would leave many data sets, including those used for marketing, unaddressed. It also said some of the exemptions are too broad, while the enforcement powers are “strangely weak.”
A letter addressed to President Obama and signed by 14 consumer and watchdog groups said the draft legislation doesn’t go far enough.
Among other things, the letter said the bill doesn’t adequately define sensitive information, doesn’t give consumers meaningful choices, gives companies broad leeway in determining protections, pre-empts strong state laws, and prevents consumers or state attorneys general from taking meaningful action.
“[S]ubstantial changes must still be made for the legislation to effectively protect Americans’ right to privacy,” the letter said.
Other critics think the bill goes too far. The Electronics Consumer Association, for example, said the bill would hurt innovation.
ECA president and CEO Gary Shapiro said in a statement that the “broad definitions, expanded bureaucratic authorities, and steep penalties could burden the tech economy with uncertainty” as well as stifle the development of the Internet of Things.
Brookman said the White House knew there would be strong criticism of the bill, which is why it labeled it a “discussion draft.”
“They knew they would be hit pretty hard on some of these ideas and said, ‘We’re just trying to get the conversation started,’” he said.
In the short term, passing this bill is unlikely, Brookman said. It’s not only a challenge to pass anything in Congress these days, but any regulations that affect businesses and put restrictions on data-driven economy are especially a tough sell.
“In the long term, ultimately, we’re going to need some sort of privacy law in the United States,” he said. “That’s why it’s good to see the bill come out, recognizing that something needs to be done.”
Besides Turkey, the United States is the only developed country without a standard privacy-protection policy for personal data.
The lack of protection is causing increased skepticism from companies abroad about doing business with U.S. enterprises, Brookman noted.
He said the good news is that every time legislation like this is being proposed, the call for it gets stronger.
“It is really hard to get it right — there’s no perfect solution,” he said. “But the current solution of relying heavily on self-regulation certainly isn’t sufficient.”
This article originally appeared on ThirdCertainty.com and was written by Rodika Tollefson.
