CDT has long called for a flexible baseline consumer privacy law that would protect consumers from inappropriate collection and misuse of their personal information, both online and offline. The draft takes a bold and important step in covering personal information collected in both spheres, with a uniform set of baseline rules outlining the rights of consumers and obligations of companies with respect to both types of consumer data. Such legislation has the potential to be a game changer for consumers, offering much-needed protections in an increasingly complex, data-driven economy.
CDT’s comments emphasized the importance of moving away from a singular focus on notice and choice mechanisms to a structure that incorporates a comprehensive set of Fair Information Practice principles (FIPs), that provide a framework for substantive protection of consumer data. We also recommended incorporating into the bill regulatory flexibility aimed at accommodating different business models and technologies. While FIPs are well-suited to the task of providing a cross-industry framework for privacy-protective practices, writing specific requirements into legislation will likely prove a Sisyphean task. Because business practices and processes may vary significantly between “brick and mortar” companies and those online, a single set of specific practices that apply to all covered entities will be ill-fitting for some. Further, privacy protections enshrined in law must be able to respond to rapid changes in technology. In our comments, CDT raised concerns that highly prescriptive mandates written into law may inadvertently “freeze” today’s practices into law and discourage future innovation.
For this reason, we urged that privacy legislation set out requirements at a higher level with the details left to FTC rulemaking. We also recommended that the drafters include a safe harbor provision to encourage innovation in privacy protection and industry-specific best practices. A carefully crafted safe harbor framework, which would apply to companies willing to go above and beyond the minimum requirements of the bill, would give industries or industry segments flexibility to develop tailored privacy solutions with FTC oversight. This is similar to the proposals suggested by Ira Rubinstein.
Such a safe harbor may be the best way to accommodate differences between industries, create certainty for companies (because following approved practices would be deemed compliance with the statute), encourage privacy innovation over time, and reward adoption of accountable practices.
CDT additionally recommended narrower preemption clauses and the addition of a private right of action to permit consumers to directly vindicate their rights.
Representatives Boucher and Stearns have shown consistent leadership on consumer privacy and openness to input on the direction of this draft. We remain confident that this process will result in legislation that both protects consumers and promotes innovation.