Following Obama's Speech at FTC, Lawmakers Pledge to Reintroduce Privacy, Data Bills

Obama said the administration plans three proposals for bills, including the Consumer Privacy Bill of Rights (CPBR), which the White House released as a framework in Feb. 2012. The other proposals are the Student Digital Privacy Act (SDPA) and a data breach bill. The CPBR, which the administration expects to be introduced by late March, provides consumers with a number of rights related to their personal data, including the right to decide what personal data companies can collect and how that data can be used, Obama said. The proposal also would require companies to use collected data only for their intended purpose, he said. The SDPA would require all data collected on students to be used only for educational purposes, said Obama. Such data should be used to “to teach our children, not to market to our children,” he said. The data breach bill would create a “single, strong national standard so Americans know when their information has been stolen or misused,” Obama said. The current “patchwork” of state laws on data breaches is “confusing for consumers,” he said. The bill also would require companies to notify consumers of a breach within 30 days, he said.

Sens. Richard Blumenthal, D-Conn., and Ed Markey, D-Mass., applauded Obama’s speech and said they plan to reintroduce the Personal Data Protection and Breach Accountability Act (S-1995). The bill would let consumers “recover damages for injuries caused by the failure of companies to protect their personal and financial information,” they said. “The President's promise to boldly ratchet up data breach protections is both welcome and urgent -- and Congress must accomplish it with long overdue action," said Blumenthal and Markey. “Any federal action should enhance, not undermine, strong state consumer protection laws.”

Senate Judiciary Committee ranking member Patrick Leahy, D-Vt., cheered Obama’s data breach proposal. He said he plans soon to reintroduce his Personal Data Privacy and Security Act (S-3990), which he has introduced in each of the last four congressional sessions. “The President’s new initiative on data breach notification is one piece of the necessary response to this serious problem, but we also need to make sure we protect consumer’s private information before breaches happen,” he said. “My legislation has required companies to implement data security measures to protect personal information from cyber attacks in the first place.”

Markey and Sen. Orrin Hatch, R-Utah, thanked Obama for his emphasis on student privacy. The senators introduced the Protecting Student Privacy Act (S-2690) last year, which they said would provide “middle ground between overly burdensome requirements on schools and educational technology providers, and the transparency that parents rightly demand."

House Commerce Committee Chairman Fred Upton, R-Mich., and incoming Commerce Trade Subcommittee Chairman Michael Burgess, R-Texas, welcomed Obama’s commitment to improving cybersecurity, they said. “It’s only a matter of time before the next big breach hits, which is why one of the first items of business for the Subcommittee on Commerce, Manufacturing, and Trade will be to advance a data breach bill.” Upton and Burgess said they “look forward to working with the White House this year to enact meaningful legislation that will limit online threats.”

"I look forward to working with the President to protect consumer privacy, but the devil is in the details,” said Rep. Pete Olson, R-Texas. “I agree that we need a federal standard for data breach notification, but we must take a balanced approach to protect consumers without putting unnecessary burdens on companies or hindering important uses of data." Congress "should quickly take up the President’s legislative proposals,” said Nuala O’Connor, Center for Democracy and Technology CEO. “Even with these proposed reforms, we must not forget about government surveillance reform."

“We all agree that it’s essential to protect consumer data privacy, but new federal regulations won’t make consumers any safer,” said Mark MacCarthy, Software & Information Industry Association vice president-public policy. The FTC has “proven time and again that it has full authority to bring actions against companies that provide misleading privacy notices or fail to protect personal information,” he said. “New consumer privacy legislation should be considered only if there are actual and substantial harms that are not addressed by current law."

“It’s good that the president has re-focused on privacy and data security issues, but it would be terrible [if] his proposals preempt stronger state laws and offer less protection,” said John Simpson, Consumer Watchdog's Privacy Project director. “States must be allowed to enact stronger measures. ... We’re concerned that in an effort to achieve bipartisan action there is a real possibility of passing loophole-laden legislation."

“While some of his recommendations are on target, many of the President’s proposals miss the mark either by overlooking needed opportunities for reform or by promoting excessive privacy regulations that compromise the potential for innovation,” said Daniel Castro, Information Technology and Innovation Foundation senior analyst. Castro said Obama “missed an opportunity” to push back against law enforcement efforts to “weaken security for the purpose of surveillance. ... While the President is right to support chip and PIN technology for securing electronic payments, the Administration should also be promoting secure mobile payment technology.”

Obama’s speech represents “real progress on a tough issue,” said Ellen Bloom, Consumers Union senior director-federal policy. “We’re anxious to see the details of the updated Consumer Privacy Bill of Rights in the weeks ahead.” The Center for Digital Democracy awaits the chance to "review the text of proposed privacy bills announced today by President Obama,” said Executive Director Jeff Chester. “While the ‘Bill of Rights’ incorporates high-minded principles, we fear that at the end of the day legislation will sanction our ever-growing data collection status quo.”

“SIIA and our member companies agree with the need to safeguard student data,” said MacCarthy. “The pledge is one enforceable means by which the industry is demonstrating its commitment to protect student information and make certain it is used only for educational purposes.” MacCarthy said 75 education tech companies have signed the pledge. "We are concerned that, unless a new federal law pre-empts all state laws, it risks adding another layer to the confusing patchwork of regulations now facing local schools and service providers,” he said. Microsoft said it welcomed Obama’s student privacy initiative. Houghton Mifflin Harcourt also said it supports that proposal.