Blog Post / Privacy & Security Law Blog
President Obama’s Proposed Privacy Bill of Rights
03.04.15
Part 3: Who’s Covered
This week we have brought you a multi-part series analyzing the Obama administration’s proposed Consumer Privacy Bill of Rights, which would require greater transparency by businesses in their privacy practices, and grant individuals certain rights and controls over how businesses collect, use and share personal information. Part 1 examined how the proffered bill of rights defines personal data, its de-identification provisions, and its retention requirements and part 2 examined notice, control and context requirements.
In this post, we look at what commercial and non-commercial entities would be subject to the proposal.
Covered entities
The new proposal, if introduced and passed by Congress, would apply to any person that collects, creates, processes, retains, uses or discloses “personal data” in or affecting interstate commerce. This includes public and private commercial entities and non-commercial entities (e.g., non-profits, education institutions, and community organizations). Unlike the existing sectoral approach to privacy regulation here in the United States, this would greatly expand coverage to include businesses and non-profits that collect as little as the names and postal addresses of customers for their own marketing and fundraising efforts, although certain smaller entities would be exempt.
Exempt entities
There are 3 types of small organizations that are exempted from the definition of covered entity:
- If your organization has fewer than 6 employees and does not knowingly collect, create, process, use, retain or disclose certain sensitive data elements (e., medial history; national origin, sexual orientation; gender identity; religious beliefs or affiliation; income, assets or liabilities; precise geolocation information; unique biometric data; or Social Security number).
- If your organization collects, creates, processes, uses, retains or discloses personal data of fewer than 10,000 individuals and devices during any 12-month period and does not knowingly collect, create, process, use, retain or disclose any of the sensitive data elements on the above list.
- If your company has 25 or fewer employees and the only personal data you collect or maintain relates to job applicants and employees in the ordinary course.
- Data Security
- Accountability
- Expanded FTC Jurisdiction