The Obama administration’s recently released white paper outlines a consumer data privacy framework that would supplement existing laws and, as one of its four key elements, give the Federal Trade Commission a strengthened enforcement role.

The framework represents the administration’s proposal for providing additional consumer data privacy protections that it believes are necessary to preserve consumer trust “in the technologies and companies that drive the digital economy.” According to the white paper, the administration intends to implement the framework “without delay.”

The framework has four key elements:

A Consumer Privacy Bill of Rights
The administration has developed a “Consumer Privacy Bill of Rights” (CPBR) that, in the administration’s view, “provides a baseline of clear protection for consumers and greater certainty for companies.” The CPBR, which is similar to the privacy principles recognized by the European Union, would give consumers a right to: (1) individual control over personal data collected and its use, (2) transparency as to a company’s privacy and security practices, (3) respect for the context in which the consumer provides personal data (meaning that such data is collected, used and disclosed in ways that are consistent with such context), (4) security in the handling of personal data, (5) consumer access to data maintained on them and the ability to ensure the accuracy of such data, (6) focused collection (meaning reasonable limits on the data collected), and (7) accountability of a company and its employees for how personal data is handled.

Market and Industry Codes of Conduct
The administration seeks a “multistakeholder process” to develop codes of conduct that implement the general principles contained in the CPBR. The stakeholders would include individual companies, industry groups, privacy advocates, consumer groups, state attorneys general, and federal civil and state law enforcement officers. The stakeholders would be charged with identifying markets and industry sectors that involve significant consumer data privacy issues and may be appropriate for an enforceable code of conduct. If a company chooses to adopt a code of conduct for its market or industry (and possibly multiple codes for different business lines), the administration expects it could enforce the company’s public commitment to adhere to the code of conduct under Section 5 of the FTC Act.

FTC Enforcement
The FTC would be charged with enforcing the commitments of companies under the FTC’s jurisdiction to adhere to one or more codes of conduct. According to the administration, “in any investigation or enforcement related to the subject matter of one or more codes, the FTC should consider the company’s adherence to the codes favorably.”

International Cooperation
To address the challenge created by differences in national privacy laws for companies that transfer personal data across national borders, the United States would engage with other countries “to increase interoperability in privacy laws” through mutual recognition and enforcement cooperation.

In the white paper, the administration also outlines its desired approach to new privacy legislation. That approach includes the passage of legislation codifying the CPBR and granting enforcement authority to the FTC and state attorneys general. The administration believes such legislation should also (1) give the FTC authority to review and approve codes of conduct adopted by companies and determine if the codes sufficiently implement the CPBR, (2) grant companies who follow an FTC-approved code of conduct a safeharbor from enforcement of the statutory CPBR, and (3) preempt state laws that are inconsistent with the statutory CPBR.

The administration’s intent is to avoid creating duplicative regulatory burdens, so that financial institutions subject to the Gramm-Leach-Bliley Act and its implementing regulations and guidelines would largely be exempt from the new regime. In addition, the administration’s plan does not expressly envision a role for the Consumer Financial Protection Bureau (which has authority to enforce provisions of the GLBA.) Nevertheless, the administration’s actions in the privacy arena are likely to influence the CFPB’s approach to data privacy and security. In addition, the administration states its support for a national standard for security breach notifications that would preempt state notification laws and that purportedly would apply to all financial institutions.

Ballard Spahr’s Privacy and Data Security Group includes experienced lawyers who help clients navigate the many laws designed to safeguard health, financial, and other private information; counsel clients on compliance, data mining, online marketing, and mobile privacy; and assist clients in responding to security breaches.

Ballard Spahr’s Consumer Financial Services Group is nationally recognized for its guidance in structuring and documenting new consumer financial services products, its experience with the full range of federal and state consumer credit laws throughout the country, and its skill in litigation defense and avoidance (including pioneering work in pre-dispute arbitration programs.) The Consumer Financial Services Group also produces the CFPB Monitor, a blog that focuses exclusively on important Consumer Financial Protection Bureau developments. To subscribe, use the link provided to the right.

For more information, please contact CFS Group Practice Leader Alan S. Kaplinsky, 215.864.8544 or; CFS Group Practice Leader Jeremy T. Rosenblum, 215.864.8505 or; John L. Culhane, Jr., 215.864.8535 or; Barbara S. Mishkin, 215.864.8528 or; or Mark J. Furletti, 215.864.8138 or  


Copyright © 2012 by Ballard Spahr LLP.
(No claim to original U.S. government material.)


All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.