NEW YORK (MainStreet) – It’s no secret advertisers love to collect data on you to create better-targeted ads, and efforts to allow consumers to keep their data private have relied largely on self-enforcement regimes. Now the government is getting involved.
The Obama administration today released a Consumer Privacy Bill of Rights that lays out seven principles of privacy protections, including the right to exercise control over the dissemination of one’s data and the right to transparent privacy policies. The bill of rights is not legislation, acting more as a framework and statement of principles, but it sounds like the administration means business.
“The administration supports federal legislation that adopts the principles of the Consumer Privacy Bill of Rights,” reads the statement. For now, though, the bill of rights remains a statement of principles, and as such it’s difficult to say what the end result will be.
“The devil is going to be in the details,” acknowledges Paul Stephens, director of policy and advocacy for the nonprofit group Privacy Rights Clearinghouse. “It is a framework that certainly represents a decent start, but the key is going to be in three components,” he says, which include the legislation and regulations that grow out of it, and the enforcement thereof.
On paper, then, it looks fine as a work in progress, though Stephens does acknowledge that at least one provision – the “Respect for Context” clause, which says companies “will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data” – seems somewhat subjective and open for interpretation. As such, consumers concerned about their privacy will have to wait and see how this vague language of the bill of rights will translate into actionable regulation.
“Anybody can stand behind some broad principles about respecting privacy rights,” Reitman says. “Whether it’s enforceable is still a far-off issue.”
But even if the bill of rights doesn’t turn into a bill that enshrines consumers’ right to privacy, the administration has indicated it could bypass Congress altogether to create its own enforcement regime, noting that “even without legislation, the administration will convene multistakeholder processes that use these rights as a template for codes of conduct that are enforceable by the Federal Trade Commission.”
That’s a crucial statement, particularly as it pertains to allowing consumers to opt out of third-party tracking. Previous efforts to implement a “do not track” system akin to the “do not call” registry came under fire from privacy advocates for lacking any sort of formal enforcement regime. While Mozilla’s Firefox browser and Microsoft’s Internet Explorer browser incorporated a “do not track” feature that allowed users to opt out of tracking, the advertisers who actually signed on to the system simply promised to keep themselves in line. The president’s statement essentially says that even if Congress doesn’t pass legislation based on the proposed bill of rights, it will still take steps to create a formal code of conduct enforceable by the Federal Trade Commission.
“The way it is right now … it’s historically been self-enforcing,” says Rainey Reitman, activism director for the digital rights advocacy group the Electronic Frontier Foundation. “The White House statement today changes that, so it will be under the umbrella of FTC enforcement.”
Importantly, the changes were announced in conjunction with an about-face by a company that’s been making all the wrong headlines lately because of its privacy practices: Google. Unlike Mozilla and Microsoft, Google never implemented the system for its Chrome browser. But the company signed on to the program today, and if the FTC really intends to start enforcing the system with or without legislation, that means consumers will have an enforceable opt-out feature on the three major Web browsers.
But the “do not track” program is just one aspect of the overall regulation and enforcement regime that the White House clearly hopes will grow out of this bill of rights.
The following is the full text of the Consumer Privacy Bill of Rights:
The Consumer Privacy Bill of Rights applies to personal data, which means any data, including aggregations of data, that is linkable to a specific individual. Personal data may include data that is linked to a specific computer or other device. The Administration supports Federal legislation that adopts the principles of the Consumer Privacy Bill of Rights. Even without legislation, the Administration will convene multistakeholder processes that use these rights as a template for codes of conduct that are enforceable by the Federal Trade Commission. These elements—the Consumer Privacy Bill of Rights, codes of conduct, and strong enforcement—will increase interoperability between the U.S. consumer data privacy framework and those of our international partners.
1. INDIVIDUAL CONTROL: Consumers have a right to exercise control over what personal data companies collect from them and how they use it. Companies should provide consumers appropriate control over the personal data that consumers share with others and over how companies collect, use, or disclose personal data. Companies should enable these choices by providing consumers with easily used and accessible mechanisms that reflect the scale, scope, and sensitivity of the personal data that they collect, use, or disclose, as well as the sensitivity of the uses they make of personal data. Companies should offer consumers clear and simple choices, presented at times and in ways that enable consumers to make meaningful decisions about personal data collection, use, and disclosure. Companies should offer consumers means to withdraw or limit consent that are as accessible and easily used as the methods for granting consent in the first place.
2. TRANSPARENCY: Consumers have a right to easily understandable and accessible information about privacy and security practices. At times and in places that are most useful to enabling consumers to gain a meaningful understanding of privacy risks and the ability to exercise Individual Control, companies should provide clear descriptions of what personal data they collect, why they need the data, how they will use it, when they will delete the data or de-identify it from consumers, and whether and for what purposes they may share personal data with third parties.
3. RESPECT FOR CONTEXT: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Companies should limit their use and disclosure of personal data to those purposes that are consistent with both the relationship that they have with consumers and the context in which consumers originally disclosed the data, unless required by law to do otherwise. If companies will use or disclose personal data for other purposes, they should provide heightened Transparency and Individual Control by disclosing these other purposes in a manner that is prominent and easily actionable by consumers at the time of data collection. If, subsequent to collection, companies decide to use or disclose personal data for purposes that are inconsistent with the context in which the data was disclosed, they must provide heightened measures of Transparency and Individual Choice. Finally, the age and familiarity with technology of consumers who engage with a company are important elements of context. Companies should fulfill the obligations under this principle in ways that are appropriate for the age and sophistication of consumers. In particular, the principles in the Consumer Privacy Bill of Rights may require greater protections for personal data obtained from children and teenagers than for adults.
4. SECURITY: Consumers have a right to secure and responsible handling of personal data. Companies should assess the privacy and security risks associated with their personal data practices and maintain reasonable safeguards to control risks such as loss; unauthorized access, use, destruction, or modification; and improper disclosure.
5. ACCESS AND ACCURACY: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Companies should use reasonable measures to ensure they maintain accurate personal data. Companies also should provide consumers with reasonable access to personal data that they collect or maintain about them, as well as the appropriate means and opportunity to correct inaccurate data or request its deletion or use limitation. Companies that handle personal data should construe this principle in a manner consistent with freedom of expression and freedom of the press. In determining what measures they may use to maintain accuracy and to provide access, correction, deletion, or suppression capabilities to consumers, companies may also consider the scale, scope, and sensitivity of the personal data that they collect or maintain and the likelihood that its use may expose consumers to financial, physical, or other material harm.
6. FOCUSED COLLECTION: Consumers have a right to reasonable limits on the personal data that companies collect and retain. Companies should collect only as much personal data as they need to accomplish purposes specified under the Respect for Context principle. Companies should securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise.
7. ACCOUNTABILITY: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. Companies should be accountable to enforcement authorities and consumers for adhering to these principles. Companies also should hold employees responsible for adhering to these principles. To achieve this end, companies should train their employees as appropriate to handle personal data consistently with these principles and regularly evaluate their performance in this regard. Where appropriate, companies should conduct full audits. Companies that disclose personal data to third parties should at a minimum ensure that the recipients are under enforceable contractual obligations to adhere to these principles, unless they are required by law to do otherwise.
Matt Brownell is a staff reporter for MainStreet. You can reach him by email at firstname.lastname@example.org, or follow him on Twitter @Brownellorama.