The White House revealed its Consumer Privacy Bill of Rights Act draft on Friday to an array of opinions from tech professionals, privacy advocates, and government officials.
While privacy advocates, including the Center for Democracy & Technology, believe the bill could use more explicit wording and stronger boundaries, those involved in commerce think the bill could stifle American innovation.
In a statement to the National Journal, for instance, Lawrence Strickling, assistant secretary for communications and information in the Commerce Department, said: “The Obama administration is committed to protecting consumer privacy while also giving U.S. businesses the flexibility they need to grow and innovate."
Although the draft set out to define and defend consumers' privacy rights, it falls short, said Justin Brookman, director of consumer privacy at the Center for Democracy & Technology, in an interview with SCMagazine.com.
Furthermore, he said, the enforcement of these proposed changes doesn't go far enough. In particular, the draft says privacy violation fines will be calculated by “multiplying the number of days that the covered entity violates the Act by an amount not to exceed $35,000.”
“A reasonable cap needs to be bounded somewhat,” Brookman said. “But it's not going to be a meaningful deterrent.”
If one major company sold millions of records in one day, for example, it would still only face a $35,000 fine. The bill also exempts new companies from penalties for the first 18 months of their existence.
The intentions of the bill might be noble, but compared with stringent state legislation in Massachusetts or California, for example, the bill proposes regulations far less explicit, said Chris Bucolo, senior manager of partner relations in security & compliance, Sikich LLP, in an interview with SCMagazine.com.
“Some of the states are very aggressive now at data security requirements,” he said, adding that this bill might not bring anything new or more intensive to consumers in those states.
This bill would preempt state privacy and data security laws, though common law, laws on health and financial data, laws concerning children, and state data breach notification laws would be maintained. Also federal and state general purposed consumer protection laws would not be preempted.
Although the bill might not be ready for a vote just yet, as evidenced by the wider dissatisfaction from invested parties, one thing is certain: the bill has ignited conversation on privacy and transparency.
Brendon Lynch, chief privacy officer at Microsoft, wrote in a blog post on Friday that the bill was a “welcome development.”
Adding that “never before have these issues been more urgent for our society," Lynch wrote that "it is time to elevate the discussion on privacy and to renew efforts to draft and enact a comprehensive federal privacy bill in the United States to address concerns held by Americans and people around the world over how personal information is collected and used. “