CDT has long called for a flexible baseline consumer privacy law that would protect consumers from inappropriate collection and misuse of their personal information, both online and offline. The draft takes a bold and important step in covering personal information collected in both spheres, with a uniform set of baseline rules outlining the rights of consumers and obligations of companies with respect to both types of consumer data. Such legislation has the potential to be a game changer for consumers, offering much-needed protections in an increasingly complex, data-driven economy.
CDT’s comments emphasized the importance of moving away from a singular focus on notice and choice mechanisms to a structure that incorporates a comprehensive set of Fair Information Practice principles (FIPs), that provide a framework for substantive protection of consumer data. We also recommended incorporating into the bill regulatory flexibility aimed at accommodating different business models and technologies. While FIPs are well-suited to the task of providing a cross-industry framework for privacy-protective practices, writing specific requirements into legislation will likely prove a Sisyphean task. Because business practices and processes may vary significantly between “brick and mortar” companies and those online, a single set of specific practices that apply to all covered entities will be ill-fitting for some. Further, privacy protections enshrined in law must be able to respond to rapid changes in technology. In our comments, CDT raised concerns that highly prescriptive mandates written into law may inadvertently “freeze” today’s practices into law and discourage future innovation.