The Obama administration on Friday proposed a wide-ranging bill intended to provide Americans with more control over the personal information that companies collect about them and how that data can be used, fulfilling a promise the president had talked about for years.
But some privacy advocates immediately jumped on the proposed legislation, saying it failed to go far enough, particularly given the broad statements President Barack Obama had made on the issue. They said the bill would give too much leeway to companies and not enough power to consumers.
There are already a number of federal laws, like the Fair Credit Reporting Act and the Video Privacy Protection Act, that limit how companies may use certain specific consumer records. The new proposed bill, the Consumer Privacy Bill of Rights Act, is intended to fill in the gaps between those statutes — by issuing some baseline data-processing requirements for all types of companies.
"It applies common-sense protections to personal data collected online or offline, regardless of how data is shared," the Obama administration said in a statement on Friday, "and promotes responsible practices that can maximize the benefits of data analysis while taking important steps to minimize risks."
The proposal, at its core, calls on industries to develop their own codes of conduct on the handling of consumer information. It also charges the Federal Trade Commission with making sure those codes of conduct satisfy certain requirements — like providing consumers with clear notices about how their personal details will be collected, used and shared.
Companies that violate those requirements could be subject to enforcement actions by the commission or by state attorneys general.
The administration’s proposal, considered a discussion draft, would need a congressional sponsor before it could be officially introduced. Already, though, industry analysts said that the proposal, along with several other legislative efforts on commercial privacy, was unlikely to be enacted in a Republican Congress.
The White House effort comes during heightened public awareness about both government and commercial data-mining. And the proposal drew sharp reactions.
Some prominent legislators and privacy law scholars said the administration’s effort failed to endow citizens with direct and clear legal rights to control who collects their information and how they use it. And the bill, they say, largely puts companies in charge of defining their own criteria for fair and unfair use of consumers’ personal details.
"Instead of codes of conduct developed by industries that have historically been opposed to strong privacy measures, we need uniform and legally enforceable rules that companies must abide by and consumers can rely upon," Sen. Edward J. Markey, D-Mass., who has been investigating consumer-profiling companies called data brokers, said in a statement on Friday.
Companies like Acxiom, a database marketer in Little Rock, Arkansas, for instance, help marketers target individual consumers by estimated household income, ZIP code, race, ethnicity, social network or interests like "smoking/tobacco" or "gaming-casino."
Experian Marketing Services, another marketing company, uses data-mining to stratify consumers into socio-economic clusters with names like "small town, shallow pockets" and "diapers and debit cards."
Armed with that kind of information, advertisers might, say, send smokers ads for the latest air filters. But in a report last year on data brokers, the Federal Trade Commission warned that such profiling could be also used in ways that could "adversely impact consumers." Third parties, regulators wrote, could potentially use brokers’ information on smokers to decide whether someone was "a poor credit or insurance risk, or an unsuitable candidate for employment or admission to a university."
The report called on Congress to enact legislation to protect this kind of volatile information by, among other things, requiring companies that serve consumers to obtain consent from individuals before collecting such sensitive details about them.
While the White House’s proposal does not explicitly require companies to obtain affirmative consent to collect health information, it does call on companies to give individuals reasonable means to control the use of their personal data — depending on the context and "in proportion to the privacy risk."
Microsoft heralded the draft bill as a welcome first step in improving consumer trust in how companies handled their information.
"The White House framework tackles issues that are crucial to build trust and foster innovation," Brendon Lynch, chief privacy officer of Microsoft, wrote in a blog post on Friday. "Not all will agree with every aspect of the proposal — some will say it goes too far, while others will say it doesn’t go far enough — but it’s a good place to start the conversation."
But some privacy advocates warned against the bill’s reliance on industry-developed codes of conduct. The process, they contended, would allow companies to define for themselves whether their data-use policies constituted privacy risks to consumers. They also said the bill offered companies loopholes that would help them avoid giving consumers meaningful control over their records and make it difficult for federal regulators to enforce the legislation.
"While it claims to provide rights to consumers, behind its flimsy policy curtain is a system that gives real control to the companies that now gather our information," said Jeffrey Chester, executive director of the Center for Digital Democracy, a consumer advocacy group in Washington.
A few privacy law scholars said that the draft bill could undermine protections consumers already had. If enacted as currently written, for instance, it could pre-empt stronger laws in a few states that require companies to obtain consumers’ explicit consent before collecting unique biometric information like fingerprints or facial scans.
"It would override state statutes that give people more protection," said Alvaro M. Bedoya, executive director of the Center on Privacy and Technology at Georgetown University Law Center. "It would be a significant setback for privacy."
Natasha Singer, New York Times