Part 3: Who's Covered

This week we have brought you a multi-part series analyzing the Obama administration's proposed Consumer Privacy Bill of Rights, which would require greater transparency by businesses in their privacy practices, and grant individuals certain rights and controls over how businesses collect, use and share personal information. Part 1 examined how the proffered bill of rights defines personal data, its de-identification provisions, and its retention requirements and part 2 examined notice, control and context requirements. In this post, we look at what commercial and non-commercial entities would be subject to the proposal.

Covered Entities

The new proposal, if introduced and passed by Congress, would apply to any person that collects, creates, processes, retains, uses or discloses "personal data" in or affecting interstate commerce. This includes public and private commercial entities and non-commercial entities (e.g., non-profits, education institutions, and community organizations). Unlike the existing sectoral approach to privacy regulation here in the United States, this would greatly expand coverage to include businesses and non-profits that collect as little as the names and postal addresses of customers for their own marketing and fundraising efforts, although certain smaller entities would be exempt.

Exempt Entities

There are 3 types of small organizations that are exempted from the definition of covered entity:

  1. If your organization has fewer than 6 employees and does not knowingly collect, create, process, use, retain or disclose certain sensitive data elements (e., medial history; national origin, sexual orientation; gender identity; religious beliefs or affiliation; income, assets or liabilities; precise geolocation information; unique biometric data; or Social Security number).
  2. If your organization collects, creates, processes, uses, retains or discloses personal data of fewer than 10,000 individuals and devices during any 12-month period and does not knowingly collect, create, process, use, retain or disclose any of the sensitive data elements on the above list.
  3. If your company has 25 or fewer employees and the only personal data you collect or maintain relates to job applicants and employees in the ordinary course.

Under Section 405, the proposal also gives the FTC rulemaking authority to establish additional exceptions from the definition of covered entity. The FTC must consider, among other factors, the privacy risks, the types of commercial activity (including non-profit activity), the importance of mitigating privacy risks, and the costs and benefits of including additional categories of persons as exempt entities. Given the FTC's broad view of its own jurisdiction for data security matters, you should not hold out much hope that many industry exemptions will be granted.

Government Exemption

Despite that reference to the bill of rights, do not be misled into thinking that the government would subject themselves to this far reaching proposal. In fact, federal, state and local governments are all given a pass on complying with the proposal's broad and ambiguous requirements. The government exemption, once again, asks the private sector to do what I say, not as I do. DWT's series on the president's proposal will continue throughout the week. Please look forward to future posts discussing:

  • Data Security
  • Accountability
  • Expanded FTC Jurisdiction

Christopher Avery is a privacy and data security attorney in Davis Wright's New York City office. He advises clients on U.S. and international privacy laws and regulations pertaining to consumer privacy, employee privacy, data security, and cybersecurity. Christopher regularly counsels companies on how to prepare for, respond to and recover from cybersecurity events.