White House

By Caleb Skeath

As we reported yesterday, the Congressional Privacy Bill has been released, following the release of the White House’s proposal for a privacy bill in late February.  The bill contains the Commercial Privacy Rights Act of 2015, the Congressional counterpart to the White House’s proposal, along with data breach notification provisions and the “Do Not Track Kids Act of 2015,” which proposes substantial revisions to the Children’s Online Privacy Protection Act (COPPA).  As with the White House proposal, the Privacy Rights Act would implement a comprehensive regime of substantive privacy requirements.  Our analysis of the Commercial Privacy Rights Act is below, and we will separately post further analysis of the data breach provisions as well as the Do Not Track Kids Act.
Continue Reading Congressional Privacy Bill: Commercial Privacy Rights Act of 2015

As we reported earlier today, the long-awaited White House draft of privacy and data security legislation has been released. While the United States does not today have a comprehensive privacy and data security law, the proposed Consumer Privacy Bill of Rights would impose a suite of substantive privacy and data security obligations across sectors and industries. Our sense is that it would be uphill battle for this sort of sweeping privacy legislation to gain traction in Congress over the next two years.

We have answered your key questions about this proposed legislation below, including:

Who would the bill apply to?

How is “personal data” defined under the bill?

What are the substantive obligations?

Are there any safe harbors?

How would the bill be enforced?

Does the bill preempt state laws?Continue Reading White House Privacy Bill: A Deeper Dive

The White House’s much anticipated draft privacy legislation has now been released.   We are digesting its content now and will post an update with some additional comments shortly.

The draft appears to include an expansive definition of “personal data.”  In addition, early press reports note that the draft bill would require companies to inform consumers

By Caleb Skeath

During the White House’s inaugural Summit on Cybersecurity and Consumer Protection last Friday, President Obama signed an executive order designed to facilitate increased information sharing between the private sector and the federal government.  The order follows the introduction of the Cyber Threat Sharing Act of 2015 in the Senate, an information-sharing bill modeled on the legislative proposal released by the White House in January.Continue Reading President Obama Signs Executive Order to Encourage Information Sharing

Yesterday the White House released a report discussing how companies are using big data to charge different prices to different customers, a practice known as price discrimination or differential pricing.  The report describes the benefits of big data for sellers and buyers alike, and concludes that many concerns raised by big data and differential pricing can be addressed by existing antidiscrimination and consumer protection laws.

Big Data and Personalized Pricing 

“Big data” refers to the ability to gather large volumes of data, often from multiple sources, and use it to produce new kinds of observations, measurements, and predictions about individual consumers.  Thus, big data has made it easier for sellers to target different populations with customized marketing and pricing plans.

The White House report identifies two trends driving the increased application of big data to marketing and consumer analytics.  The first trend is the widespread adoption of new information technology platforms, most importantly the Internet and the smartphone.  These platforms give businesses access to a wide variety of applications like search engines, maps, blogs, and music or video streaming services.  In turn, these applications create new ways for businesses to interact with consumers, which produce new sources and types of data, including (1) a user’s location via mapping software; (2) their browser and search history; (3) the songs and videos they have streamed; (4) their retail purchase history; and (5) the contents of their online reviews and blog posts.  Sellers can use these new types of information to make educated guesses about consumer characteristics like location, gender, and income.  The second trend is the growth of the ad-supported business model, and the creation of a secondary market in consumer information.  The ability to place ads that are targeted to a specific audience based on their personal characteristics makes information about consumers’ characteristics particularly valuable to businesses.  This, in turn, has fostered a growing industry of data brokers and information intermediaries who buy and sell customer lists and other data used by marketers to assemble digital profiles of individual consumers.
Continue Reading White House Issues Report on Big Data and Differential Pricing

By Caleb Skeath

Last week, Reps. Joe Barton (R-TX) and Bobby Rush (D-IL) re-introduced the Data Accountability and Trust Act (DATA Act) in the House of Representatives.  The bill (H.R. 580), which has been introduced several times in previous years, would provide a nationwide data security standard, backed by FTC enforcement and civil penalties, as well as provisions requiring notification to affected individuals in the event of a data breach.  Meanwhile, Sens. Dianne Feinstein (D-CA), John Rockefeller (D-WV), Mark Pryor (D-AR), and Bill Nelson (D-FL) introduced a similar bill, the Data Security and Breach Notification Act (S. 177) this week the Senate.  The Senate bill is also a re-introduction of a previous bill, which would provide FTC-enforced security standards and individual breach notifications.

Although the text of the DATA Act has not yet been released, a release from the bill’s sponsors stated that the bill will be “substantially similar” to prior versions.  According to the release, the bill will define “personal information” to include an individual’s name in connection with (1) a Social Security number, (2) a driver’s license, passport, or other government-issued identification number, or (3) a financial account or credit or debit card number in combination with a security code or password that would permit access to an individual’s financial account.  Commercial entities that own or process personal information would be required to implement effective information security procedures and policies to safeguard that information.  Following a breach, entities would have to notify the affected individuals, in addition to the FTC.  The FTC and state attorney generals would enforce the provisions of the bill, which would allow for civil penalties of up to $5 million for violations.  The bill’s sponsors have announced a public briefing on the bill on February 6, during which they will provide more information about the bill’s provisions.
Continue Reading Data Breach Notification Bills Introduced in House and Senate

By Caleb Skeath

Earlier this week, the Senate Committee on Homeland Security and Governmental Affairs held its first hearing of the new Congress, entitled “Protecting America from Cyber Attacks: The Importance of Information Sharing.”  The hearing focused in large part on the White House’s recent information sharing proposal, which would protect private entities from

This morning, the House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Michael Burgess (R-TX), held a hearing to determine what elements should be included in federal data breach legislation.  Despite the momentum for legislation created by high-profile breaches at retailers like Target and Home Depot, and most recently at Sony, ongoing efforts in both the House and Senate to replace with a national standard the 47 currently existing state data breach laws so far have been unsuccessful.  This activity in the House is yet another attempt to enact a federal law governing data security, and today’s hearing made clear that many practical questions still remain for lawmakers to “get it right” on a data breach bill, as Rep. Fred Upton (R-MI) said.
Continue Reading House Debates Federal Data Breach Legislation

Data security and privacy concerns received special attention in President Obama’s State of the Union address last night.  As expected, the President advocated his recently released data security and privacy legislative proposals, which InsidePrivacy has covered extensively.

With regard to data security, President Obama urged Congress to pass legislation to guard against cyber-attacks, combat