Washington, D.C. — The discussion draft of the Administration’s Consumer Privacy Bill of Rights, which was released on February 27, is deeply disappointing. Despite its name, the bill would not provide consumers with clear, actionable rights concerning the collection and use of their personal information. Instead of putting consumers in control, it would allow businesses and organizations to decide what personal information they will collect, how they will use it, and what control, if any, they will give to consumers. Instead of treating privacy as a human right to be respected, the bill takes the approach that businesses and organizations should determine if their data practices pose risks of harm to consumers and, if they do, what steps to take to address those risks. The bill would preempt stronger state privacy laws and make it harder for state authorities and the Federal Trade Commission to stop privacy abuses. It would also bar consumers from bringing their own lawsuits to protect their privacy. The bill would do little to change current practices and would actually weaken consumer privacy in the United States rather than strengthen it.
This is perhaps not surprising given the fact that the bill was drafted by the U.S. Department of Commerce (DOC), which is focused on promoting the interests of businesses. Those interests aren’t always the same as consumers’ and privacy is an area in which there are often very different perspectives. A clear illustration of this is the “multistakeholder process” convened by the National Telecommunications and Information Administration within the DOC to create a voluntary code of conduct for the commercial use of facial recognition technology. Those of us from consumer and privacy groups who have participated in this process for more than a year now are very frustrated by the lopsidedness of the representation at the meetings and the unwillingness of businesses to agree to anything that would change their existing practices or that might constrain their future practices. Little progress has been made. Yet the Administration’s draft bill envisions that such processes will play a major role in setting specific obligations for companies and organizations. Given the failure of the facial recognition work so far and the lack of any information about the extent to which the mobile app privacy disclosures produced by the first multistakeholder process have been implemented and how they’re working, I’m skeptical about placing so much reliance on these codes to provide adequate protections for consumers. And considering how few consumer and privacy advocates there are compared to legions of lawyers and lobbyists, I worry about who will represent the consumer voice in the “hundreds” of multistakeholder groups that the DOC says it expects. Based on my experience, I don’t agree with the proposition that codes arising from DOC’s multistakeholder processes should be presumed to be acceptable, and it’s unclear whether codes developed by others would be more successful. I would prefer legislation that enables the Federal Trade Commission, which has carefully studied privacy issues for many years, to promulgate rules, augmenting the notice and comment process with public workshops and other means to engage stakeholders and obtain input.
Another concern is that the Administration will use this bill to try to convince other countries that our approach to privacy is adequate. For instance, in the trade negotiations currently underway between the U.S. and Europe, the Administration is sure to argue that Europeans should be comfortable agreeing to the “free flow of data” to facilitate ecommerce and other trade across the Atlantic because our privacy regime, while different than the EU’s human rights-based, more restrictive laws, would be equivalent if this bill was enacted. One can also imagine that the U.S. would promote this bill as a model for countries that don’t yet have strong privacy protections. Rather than raising the standards for privacy to the EU level worldwide, this could encourage lower standards and create opportunities for businesses to challenge stronger privacy laws as barriers to trade.
We laud the President for recognizing that privacy is a priority. In these days of “big data” and the “Internet of Things,” it’s more important than ever for consumers to feel confident that their personal information will be handled fairly and securely. To achieve that goal, the Administration should have aimed higher and engaged in meaningful dialogue with CFA and other consumer and privacy groups on a regular basis as the bill was being drafted. We were able to make some constructive suggestions at the last minute and we’re committed to working with the Administration and Congress to provide consumers with strong, effective, and enforceable privacy rights.
Contact: Susan Grant (202) 939-1003
Consumer Federation of America is an association of nearly 300 non-profit consumer organizations that was established in 1968 to advance the consumer interest through research, education and advocacy