Obama calls for data breach notification law, privacy bill of rights

12.01.2015
U.S. President Barack Obama will push Congress to pass a law requiring companies that are victims of data breaches to notify affected consumers within 30 days and a second law that gives consumers more control over their digital data, he said.

Obama will call for a national data breach notification law and a Consumer Privacy Bill of Rights in ID theft and privacy initiatives in his State of the Union speech Jan. 20, he said Monday at the Federal Trade Commission.

Neither of those proposals is a new one -- the White House first called for a consumer privacy bill of rights in February 2012 and has backed a national breach notification law for years -- but Congress has failed to pass those proposals. With a growing number of data breaches coming to light, it's important for Congress to protect Internet users from a "direct threat" by hackers, Obama said.

"If we're going to be connected, then we need to be protected," Obama said. "As Americans, we shouldn't have to forfeit our basic privacy when we go online to do business."

More than 45 states have their own data breach notification laws, but there's no national standard. A lack of a national standard confuses consumers and raises compliance costs for companies, Obama said. "Sometimes folks don't even find out their credit card information has been stolen until they see charges on their bill, and then it's too late," he said.

The privacy bill of rights would allow consumers to decide what pieces of their personal data are collected by companies and decide how the data is used. The legislation would allow consumers to prohibit companies that collect their data for one purpose to use it for another purpose, Obama said.

Obama will also push Congress to pass a student digital privacy bill that would limit companies that collect data as part of educational services to use it only for educational purposes. The proposal would prohibit companies from selling student data to third parties for non-educational purposes and from using data collected in an educational setting to deliver targeted advertising.

Educational technology is delivering great benefits, but some companies have explored other ways to use the collected data, Obama said. "We want our kids' privacy protected, wherever they sign on or log on, including at school," he added. "We're saying that data collected from students in the classroom should only be used for educational purposes to teach our children, not to market to our children."

Obama noted that 75 educational tech companies have signed a pledge to protect parents, teachers and students from the misuse of personal data. Obama called on other educational tech companies to sign the pledge.

"If you don't joint this effort, we intend to make sure those schools and those parents know you haven't joined this effort," he said.

The push to provide consumer and student privacy protections shouldn't be a partisan issue in Washington, D.C., Obama said. The issue "transcends politics and transcends ideology," he said. "Everybody's online, and everybody understands the risks and vulnerabilities, as well as opportunities that are presented by this new world. Business leaders want their privacy and their children's privacy protected just like everybody else does."

Obama is scheduled to announce additional cybersecurity proposals on Tuesday and a broadband expansion plan on Wednesday.

Several groups applauded Obama's ID theft and privacy efforts, including the National Retail Federation, which praised his call for a national data breach notification law. Obama's proposals will "protect consumers while providing much-needed focus on concrete steps that can be taken now in order to protect consumers and businesses alike from cybercriminals," the trade group said in a statement.

But Obama's proposals related to a privacy bill of rights and student privacy may limit legitimate uses of collected data, said Daniel Castro, a senior analyst with tech-focused think tank, the Information Technology and Innovation Foundation.

The privacy bill of rights "would limit opportunities to use data-driven innovation across a variety of fields," Castro said in a statement.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Grant Gross