The Obama Administration released a draft of legislation that would make it easier for consumers to see or remove the personal data that companies keep. The Consumer Privacy Bill of Rights Act of 2015 would address the large amounts of data that companies can collect from customers -- whether it's used internally, analyzed by advertisers, or sold to a third-party aggregator. It would require companies to provide "concise and easily understandable" explanations of how data will be used, as well as options for customers to see, correct, or remove information.
Specifically, this covers information like names, addresses, social security or passport numbers, fingerprints, or credit card numbers; it does not cover "de-anonymized" data that theoretically couldn't be traced back to a specific person, or information involved in identifying a cybersecurity problem, as long as companies make "reasonable efforts" to remove identifying information. Companies have to make clear what information is collected, who it will be shared with, when and if it will be destroyed, how it's kept secure, and how customers can see or remove it. Companies are also required to take "reasonable steps" to mitigate privacy risks and make them clear to users, and the FTC will need to establish rules for privacy reviews. If a company violates the terms of the act, it's subject to lawsuits from the FTC, users, and state attorneys general. The bill creates exemptions for small operators, including people who process data for 10,000 or fewer people a year or have no more than five employees, which the White House says can ease the burden for small businesses.