Wednesday, March 14, 2012

Obama Administration Releases Consumer Privacy Bill of Rights

In April 2011, Senators Kerry and McCain introduced a bill entitled the “Commercial Privacy Bill of Rights." As discussed in this space, the bill would have required online collectors of information to permit individuals to opt out of the collection of information about browsing and shopping activities and required affirmative consent (opt-in) for the collection of sensitive personally identifiable information, including email addresses. The bill’s introduction was met with significant hand-wringing by the online business community about the impact that it might have on the business practices of even the most reputable electronic merchants. The bill was referred to committee, and little has been heard about it since.

But the issue has not gone away. Apple, Google, Facebook, Path, UPromise, and others have all suffered embarrassing public relations setbacks as a result of the exposure of certain of their practices relating to the collection and use of user information.

In the meantime, the Obama Administration has shifted its focus to a (mostly) non-legislative solution to the perceived need for more robust protection of consumers’ online privacy. On February 23, 2012, the Obama administration published A Consumer Privacy Bill of Rights The Consumer Privacy Bill of Rights provides for industry self-regulation coupled with the prospect of government enforcement in the event that industry fails to do the things that it claims it will do. It would apply to “personal data,” broadly defined as any data that can be linked back to an individual.

The seven principles enshrined in the Consumer Privacy Bill of Rights are as follows:
  1. “Consumers have a right to exercise control over what personal data companies collect from them and how they use it.” This principle would require that consumers be given an appropriate measure of control over the personal data that companies collect and use. The control mechanisms should be simple and be commensurate with the scope and sensitivity of the data being collected.
  2. “Consumers have a right to easily understandable and accessible information about privacy and security practices.” This principle would require clear and meaningful disclosures of the types of date collected, why the data is needed, how it will be used, and whether and for what purpose it might be shared with third parties.
  3. “Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provided the data.” Pursuant to this principle, companies should limit their use and disclosure of data to purposes that are consistent with the relationship that the company has with the consumer, and the context in which the data was disclosed.
  4. “Consumers have a right to secure and responsible handling of personal data.” This principle imposes an obligation on companies to handle personal data in a responsible manner and to maintain reasonable safeguards against loss, unauthorized access, or disclosure.
  5. “Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.” This concept would require that, at least with respect to certain kinds of sensitive data, companies should permit consumers to view information that has been archived about them and allow consumers to make corrections to that data.
  6. “Consumers have a right to reasonable limits on the personal data that companies collect and retain.” Under this theory, companies should only collect as much data as they need to accomplish the disclosed purpose of their data collection and should delete the data when it is no longer necessary.
  7. “Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.” This provision would require training of employees and accountability to enforcement authorities in the event of noncompliance with the principles embedded in the Consumer Privacy Bill of Rights.
The basic provisions of the Consumer Privacy Bill of Rights are so general as to be virtually meaningless without significant additional work. The administration’s plan is to work with stakeholder groups from various industries though what it refers to as a “multistakeholder process” to develop the practices and technologies necessary to implement these general principles. The stated objective is to draft a set of guidelines specific enough to be enforceable But, at least initially, the process does not contemplate enforceable legislation or regulation. Rather, the working groups would establish best practices which companies would then have the opportunity to adopt. In the event that a company fails to comply with the voluntarily undertaken rules, it would be subject to potential enforcement action by the FTC. Ultimately, however, the administration acknowledges that it would be in favor of legislation providing the FTC and the various state attorneys general to enforce the industry-written guidelines.

Although the substantive provisions of the Consumer Privacy Bill of Rights are very general, the document contains some clues as to the administration’s priorities among the specific provisions of the final codes of conduct.   Nevertheless, the text of the report foreshadows some of the specific rules that appear to be important to the administration:
  1. It appears likely that changes to browser technology (something akin to Firefox’s “private browsing” tool) may play an important role. Major online players such as Google and the Digital Advertising Alliance were involved in the drafting of the document and the publishers of the major browsers have apparently agreed to honor consumers’ “do not track” selections.
  2. On0e of the seven basic principles focuses on accessibility to information and the ability of consumers to correct mistakes.Many collectors of online data currently do not provide either of those capabilities, so it will be interesting to see in what direction the discussion moves on that topic.
  3. The “individual control” discussion, a discussion of the complexities presented by third party aggregators of data, must be addressed. These third party aggregators may have no direct relationship with consumers, and include those who search publicly available sources of data for the purpose of building profiles of individuals. These entities currently are not within the reach of privacy regulations, but the focus on that model suggests that they may be within the reach of the new standards.
It remains to be seen whether the process envisioned by the Obama Administration will actually result in any enforceable or meaningful development in the privacy area. And there is no guaranty, of course, that Congress will refrain from acting in the meantime, or that various states may act on their own. It is certain, however, that the conversation will continue, and that the outcome has the potential to be very important to members of the direct and online marketing communities.

No comments:

Post a Comment