Although most states have enacted some form of data privacy and breach notification laws, and certain federal statutory schemes cover specific industry sectors, there are no privacy protections for all personal data. Given the increasing collection and use of personal data, and the frequent headlines regarding data breaches, the White House released its administration discussion draft of the Consumer Privacy Bill of Rights Act (“CPBR”) on February 27, 2015. The CPBR has largely been met with criticism from both industry groups and consumer groups.

Industry groups contend the new law is not needed because there are already adequate privacy regulations. See Ana Radelat, ANA Pans Obama’s Consumer Privacy Bill of Rights (Mar. 4, 2015). Industry groups also believe that the increased regulation would stifle innovation. See Brendan Fasso, Obama’s ‘Privacy Bill of Rights’ Gets Bashed from All Sides (Feb. 27, 2015) (“Tech companies warned that the [CPBR] would impose burdensome regulations, potentially stifling exciting new online services that could benefit consumers.”).

On the other hand, many privacy and consumer groups have complained that the bill does not go far enough to protect consumers. As the LA Times reported, representatives from the Center for Democracy and Technology, Consumer Watchdog, Electronic Frontier Foundation, and Public Knowledge have criticized the bill for not “adequately defining ‘what constitutes sensitive information,’ not being clear about whether it protects large categories of information like geolocation data, allowing companies to retain user data indefinitely for criminal investigations without placing clear limits on data retention for that purpose, and not offering heightened protection for information about children and teens.” See Tracey Lien, Consumer Privacy Bill of Rights Doesn’t Go Far Enough, Critics Say, LA TIMES (Mar. 3, 2015)...