The first piece of legislation, the Personal Data Notification and Protection Act (PDNPA), will propose federal guidelines for categorizing data breaches as well as obligate corporations to notify consumers within 30 days of a breach or loss of data. Creating a universal set of rules for notifying customers of breaches has the support of many corporations as there are currently 47 unique laws on the books in different states as well as the District of Columbia, Puerto Rico, the Virgin Island and Guam. These rules outline how data breach notifications should currently be handled, leading to confusion amongst the companies affected. “Right now almost every state has a different law on this and it’s confusing for consumers and it’s confusing for companies – and it’s costly too, to have to comply with this patchwork of laws,” said President Obama.
The Student Data Privacy Act, the second piece of proposed legislation, is modeled after a current California law, the Student Online Personal Information Act. Under the Act, third-party technology firms who gather student information through the burgeoning use of online and digital education technology will be bound from, among other things, soliciting that data to other companies or using it to advertise to those same students.
Lastly, President Obama introduced proposed revisions to the Consumer Privacy Bill of Rights. The bill would bestow consumers with the ability the elect which types of personal information they wish to share with corporations as well as the ability to decide how said corporations use that same data. The revised proposal is set to be released on Feb. 26.
Many major corporations, from Bank of America and J.P. Morgan Chase to Apple and Microsoft, have thrown their support behind the President’s proposals, electing to voluntarily commit to these initiatives to protect consumer data.
All of these announced proposals, as well as the enactment of several other federal cybersecurity bills, come on the heels of multiple prominent consumer data breaches in the past few years. Any company – regardless of industry – that collects, processes, stores or uses consumer data will surely be affected by these efforts to protect consumers’ personal information.
Source: Ropes & Gray LLP, 1/14/2015
Posted: February 2, 2015