The President announced a fleet of proposals aimed at improving the data privacy of U.S. consumers. But some privacy advocates worry that one aspect, the push for a national data breach notification standard, might actually leave some consumers with fewer protections.
Details remain scant, but under the proposed Personal Data Notification & Protection Act, companies would be obligated to notify customers within 30 days of discovering a breach that exposed their personal information.
"We're introducing new legislation to create a single strong national standard so Americans know when their information has been stolen or misused," the President said during a speech at the Federal Trade Commission. "Right now almost every state has a different law on this and it's confusing for consumers and it's confusing for companies -- and it's costly too, to have to comply with this patchwork of laws."
There are an awful lot of state level security breach notification laws -- 47 to be exact, plus separate ones by the District of Columbia, Guam, Puerto Rico and the Virgin Islands as of September, according to the National Conference of State Legislatures. But what the President calls a patchwork, many consumer privacy advocates see as a vital part of developing stronger protections. The state level, some experts say, is where the strongest protections currently exist and where new ones are now being created.
"The companies are really afraid of the states as laboratories of democracy and they want to overturn stronger state laws," said Jeffrey Chester, the executive director of the Center for Digital Democracy. "They want a weak set of standards that will remove the ability of states to do a better job."
Alvaro Bedoya, the executive director of Georgetown Law's Center on Privacy and Technology, said the privacy community is concerned the proposed federal regulation "will actually dilute state standards." Nearly all states have established some form of breach notification law in recent years which has actually resulted in a sort of "race to the top" where companies often comply with the most rigorous state level regulations, he said.
The worry is that a national standard might include language to overrule stronger state level regulations like those in California, explained Edmund Mierzwinski, the Consumer Program Director at U.S. PIRG -- effectively turning it into a sort of "Trojan Horse" for industry interests.
"The industry will take advantage of any proposal to provide privacy notices on a federal framework as an opportunity to have a much broader preemption of state law," Mierzwinski said.
Some industry voices have already come out in support of the President's proposal. David French, Senior Vice President for Government Relations at the National Retail Federation, said the group has "long-supported a national and preemptive data breach notification standard and law" in a statement.
The exact parameters of the Personal Data Notification & Protection Act remain murky, and some privacy advocates remains supportive of other aspects of the privacy agenda the President proposed at the FTC. But until more details emerge, many appear to be skeptical about the type of national breach notification law that would make it through the current legislative environment.