“We are pleased that the Administration has made consumer privacy a priority, and this legislative proposal provides a good starting point for further discussion," an agency spokesperson said in a statement. "However, we have concerns that the draft bill does not provide consumers with the strong and enforceable protections needed to safeguard their privacy. We look forward to working with Congress and the Administration to strengthen the proposal.”
The White House declined to comment on the growing criticism. The president announced the legislation during a speech at the Federal Trade Commission in January, saying it would be released within 45 days, but the core of the legislation dates back to a set of principles outlined by the administration in 2012.
"In this digital age, particularly as big data innovations drive advances across our economy, more and more data about Americans is being collected and stored," a fact sheet announcing the draft legislation said. "And, even though responsible companies provide us with tools to control privacy settings and decide how our personal information is used, too many Americans still feel they have lost control over their data."
The draft bill would allow industries to develop their own codes of conduct or privacy policies that would then be enforced by the FTC. "Based on that model, all current practices related to data collection, use, and sharing – even flawed practices – would be allowed to continue," Rep. Frank Pallone, Jr. (D-N.J.) and Rep. Jan Schakowsky (D-Ill.) said in a joint statement, and the FTC's authority to prevent unfair acts or practices would be curtailed.
"Unfortunately, not only does this bill fail to move consumer protection forward, it may move it backward," their statement said.
Jeffrey Chester, the executive director of the Center for Digital Democracy, also criticized the draft bill. "It fails to give the FTC, the country’s key privacy regulator, 'rule-making' authority to craft reasonable safeguards, and actually empowers the companies that now harvest our mobile, social, location, financial, and health data, leaving them little to fear from regulators," he said in a statement.
Privacy advocates also worry that the plan might strain the resources of the agency. "There's a logistical problem with the FTC and the public having to review hundreds of these codes," Laura Moy, senior counsel at New America's Open Technology Institute, said in an interview.
Harold Feld, a senior vice president at Public Knowledge, agreed. "It's not clear to me that this is a very practical approach," he said.
The draft would also preempt state laws, some of which are stronger than those laid out in the proposal, and would exempt start-ups from privacy requirements for the first 18 months of data collection, privacy advocates said.
Not everyone criticized the White House's effort. Several technology industry-related groups released statements praising the draft bill.
"Key concepts in the bill that will advance the privacy discussion in a very practical way include the focus on context to shape appropriate uses of data, the recognition that assessing benefit and risk is important, and the introduction of Privacy Review Boards as internal or external structures that can help approve beneficial uses of data that could otherwise be constrained by law," said Jules Polonetsky, the executive director of the Future of Privacy Forum, which is backed by companies tied to technology and data-mining industries.
There was a behind-the-scenes scramble to change parts of the bill this week, according to multiple the privacy advocates who took part in the back and forth, which changed at least one significant aspect of the bill involving privacy standards for communications companies.
“We were pleased to see that the Administration took our suggestion and removed the provision, found in an earlier draft, which would have moved telecommunications carriers and cable companies from the privacy regime regulated and enforced by the FCC to a self-regulatory system within the FTC's purview," Pallone and Schakowsky's statement said. Such a provision would have weakened privacy rules now set to be enforced under Thursday's net neutrality decision by the Federal Communications Commission. The ruling reclassified Internet service providers as "common carriers" like telephone companies.
Moy blamed the last-minute scramble on many members of the privacy community being left out of the development of the bill until very late in the process. "They engaged with us too late," she said. "I still don't understand why they waited until a week before this self-imposed deadline to reach out to privacy advocates."
While some organizations, including the Electronic Frontier Foundation, were looped into the process earlier, many other privacy groups told the Post they were unable to review a version of the draft until a meeting at the Department of Commerce last Friday.
Earlier this week, Politico reported that some technology trade groups were also upset about their access to the process through which the draft was developed.
In its fact sheet, the White House said the draft was "offered in the spirit of bringing all stakeholders into a public dialogue to advance new privacy protections."
Sen. Edward Markey (D-Mass.), another critic of the draft, said he would soon introduce his own version of legislation aimed providing accountability and transparency for the data mining industry.
"Next week, I will introduce legislation that will allow consumers to access and correct their information to help ensure maximum accuracy," Markey said in a press release. "The bill also provides consumers with the right to stop data brokers from using, sharing, or selling their personal information for marketing purposes."