Since its release in late February, the White House’s “Discussion Draft: Consumer Privacy Bill of Rights Act of 2015” has drawn a significant amount of friendly fire from privacy activists and even federal privacy regulators. Their criticism insinuates that the Discussion Draft is at best a floor, a starting point for more stringent regulation. That perspective should be quite troubling to those who work in and benefit from the Internet Economy, for as we discuss below, certain aspects of the draft impose burdens on data use that far outpace any that currently prevail or have been proposed at the federal level.
“Privacy Risk.” The data rights and protections the Discussion Draft affords are predicated on consumers suffering a “privacy risk” harm. That harm is defined as “the potential for personal data, on its own or when linked to other information about an individual, to cause emotional distress, or physical, financial, professional or other harm to an individual” (our emphasis). This definition would enshrine into federal law broad, amorphous, and precautionary concepts of harm that are radically out of step with prevailing law. For instance, federal courts have almost uniformly rejected data-privacy-related class-action lawsuits where the injuries alleged reflect plaintiffs’ fears of financial harm or emotional concerns. One very recent example is a Middle District of Pennsylvania ruling, Storm v. Paytime, Inc. and Holt v. Paytime Harrisburg, Inc., in which the court found that plaintiffs who cannot allege harms that are “concrete in both a qualitative and temporal sense” lack standing to sue. An alleged injury that provides the basis for a federal law enforcement action should certainly be no less concrete. Some activists, however, view “privacy risk” as too difficult for consumers or regulators to prove and have called for an even broader concept of injury.
Data Collection in “Context.” Some of the Discussion Draft’s most burdensome regulatory duties hinge on whether a “covered entity’s” processing of personal data is reasonably collected in light of “context.” Context is defined as “the circumstances surrounding [that use] including, but not limited to” eleven enumerated factors such as “the extent and frequency of interactions” and “the range of goods and services the covered entity offers.” Under this standard, each regulated entity will have to weigh eleven or more factors to figure out if its data collection and use are reasonable “in context,” and then it will have to predict what the Federal Trade Commission (FTC) considers to be “reasonable.” That would keep many well-compensated company lawyers very busy.
What must a company do if the FTC determines that its data collection is “unreasonable?” The company must “conduct a privacy risk analysis” and then “take reasonable steps to mitigate any identified privacy risk, which shall include, but are not limited to [there’s that phrase again], providing heightened transparency and individual control.” An exemption from that requirement applies if a company utilizes a “Privacy Review Board” that has been FTC-certified.
Companies that unreasonably process data out of context must also “conduct a disparate impact analysis to determine whether the analysis of personal data … results in a disparate impact on individuals on the basis of age, race, color . . .” FTC has fueled a focus in this area with workshops on whether “Big Data” is inclusive or exclusive. The resulting disparate impact analysis, which could cost hundreds of thousands of dollars, would undoubtedly become fodder for class-action lawsuits and activists’ demonization campaigns.
Enforcement Authority. One privacy activist’s assessment of the Discussion Draft bemoans its “weak enforcement provisions.” We think they doth protest too much. The draft designates a violation of its provisions as an “unfair or deceptive act or practice” under Section 5 of the Federal Trade Commission Act. FTC has been working to push out the boundaries of its unfairness jurisdiction in the data privacy and security area, so this is manna from Heaven for the Commission. The Discussion Draft essentially deems it unlawfully “unfair” to impose a risk of emotional distress or financial loss on a consumer. That expands FTC’s enforcement power by several orders of magnitude. FTC would also have nearly unlimited discretion to determine, among other things, if a company’s data use is reasonable in context, whether its Privacy Review Board is up to snuff, and whether, under Title III of the White House Discussion Draft, a company’s code of conduct qualifies it for safe harbor protections.
In addition to FTC, the draft grants law enforcement authority to state attorneys-general. State AGs must provide notice to FTC of any enforcement action and, if FTC decides not to intervene, the state may pursue a suit of its own for injunctive relief (but not for civil fines). Finally, though the Discussion Draft does not create a private right of action to enforce its requirements, and preempts similarly-focused state laws, it specifically would allow public and private actions under state consumer protection laws. As food companies have discovered from having to defend class-action suits brought under state “Little FTC Acts,” such litigation can amount to an expensive second layer of regulation.
Draft’s Broader Influence. The general consensus among those deeply involved with privacy law and regulation is that the administration’s Discussion Draft has little chance of ever becoming law. But we find little comfort in that reality. In a March 4 opinion piece, a former Obama Administration technology policy official urged that the draft be a harbinger of “a national dialogue about privacy.”
Also, the draft represents the view of the President of the United States on commercial data collection and federal controls over those practices. We agree with one lawyer’s assessment of the Discussion Draft that it “may influence regulatory activity, and this should be taken very seriously.” The predominant federal privacy regulator, FTC, is nominally an independent agency, but as we’ve learned from the past months’ developments in “net neutrality,” such agencies are not immune from executive suasion.
The Administration’s Discussion Draft is quite far from what privacy activists bemoan it as: a minimally protective floor. Of course professional naysayers will demand more; it’s how they operate. But behind their collectively gritted teeth, they must be smiling, because the White House’s proposal would bestow an unprecedented amount of authority and discretion on government data privacy regulators. It also endorses activists’ long-standing contention that “creepiness” constitutes an actionable harm for those whose online data is collected or used. At its core, the proposal represents another step towards government-mandated mediocrity and away from the kind of “permissionless innovation” that up until now has made the Internet an engine of economic growth and consumer freedom.
Also published by Forbes.com at WLF’s contributor site.