President Obama provided a preview of his State of the Union address next week which will propose comprehensive data privacy legislation, including a nationwide data-breach notification law, a Consumer Privacy Bill of Rights, and limitations on the use of student data. The announcement comes at a pivotal time for privacy in the wake of the high-profile data breaches that filled the news in 2014.
In his remarks, President Obama called for Congress to create a “single, national standard” for notifying consumers of a data breach. Specifically, the president’s legislative proposal generally would require companies to notify customers of breaches of computerized data within 30 days. The proposed breach legislation would also preempt the current patchwork of state breach laws, although preemption would be limited to state laws “relating to notification” of breaches involving computerized data. The proposal would provide the Federal Trade Commission (FTC) with rulemaking authority and would be enforceable by the FTC and state Attorneys General. In addition, the proposed legislation would extend computer-crime laws to reach extraterritorial conduct in an effort to prosecute perpetrators of cyber-attacks even when the perpetrators are located overseas.
The president also proposed legislation adopting the Administration’s 2012 Consumer Privacy Bill of Rights. The proposal would outline “basic principles to both protect personal privacy and ensure that industry can keep innovating.” Such a law would provide consumers the right to decide what personal data companies collect from them and how companies use that data, as well as require that companies protect the security of consumer information and be held accountable for its use. The president promised that this legislation would be introduced by the end of February 2015.
Finally, President Obama proposed legislative language that would be focused on protecting student data from being used for commercial purposes, such as targeted advertising. Specifically, the president’s proposal would require that data collected regarding students be used only for educational purposes and would restrict companies from selling student data to third parties for non-educational purposes. The president’s proposal is likely modeled on California’s recently passed landmark student privacy law, the Student Online Personal Information Protection Act, which prohibits operators of online educational services from selling student data and using such information to target advertising to students or to “amass a profile” on students for a non-educational purpose.