On February 23, 2012 President Obama’s administration (“the Administration”) released an important new report entitled “Consumer Data Privacy In A Networked World: A Framework For Protecting Privacy And Promoting Innovation In The Global Digital Economy.” President Obama situates the new report as a mechanism that encourages the further development of online enterprises by protecting, enlightening, and enabling consumers’ privacy choices. “For businesses to succeed online,” President Obama asserts, “consumers must feel secure.”
The report announced the Administration’s new four-element online privacy framework, which is designed to augment already existing privacy protection laws. The first, and perhaps most critical, element of the new framework is a Consumer Privacy Bill of Rights (“CPBR”). The framework also consists of a multistakeholder process “to specify how the principles in the [CPBR] apply in particular business contexts, recommendations for effective enforcement, and a commitment to increase interoperability with international privacy protections.”
This post includes a dissection of each of the four elements of the Administration’s new framework, followed by a discussion of initial reactions to the framework.
Consumer Privacy Bill of Rights
The first element of the Administration’s new privacy framework is a comprehensive Privacy Bill of Rights. The CPBR is designed to set forth “individual rights and corresponding obligations of companies in connection with personal data.” The rights are fundamentally based on Fair Information Practice Principles (“FIPPs”), which were developed by the United States in the 1970s and have since achieved international recognition. The Administration’s new CPBR seeks to apply FIPPs to the current environment of the Internet, in which data processing about individuals is “far more decentralized and pervasive” than ever before. To accomplish this, the Administration seeks to carry FIPPs forward in two ways: by “affirming a set of rights that inform what they should expect about companies that handle personal data,” and by “emphasiz[ing] the importance of context” in the application of such rights. The CPBR holds that consumers have the right to the following:
- Individual Control: “Consumers have a right to exercise control over what personal data companies collect from them and how they use it.”
This right states that companies should provide consumers with the “appropriate control” over the data they share with others and how companies “collect, use, or disclose” the personal data they collect. The amount of control options that a website presents should be a function of both how much information a company collects, as well as the sensitivity of the information. Consumers also have the responsibility to “evaluate their choices” and to “take responsibility for the ones that they do make.”
- Transparency: “Consumers have a right to easily understandable and accessible information about privacy and security practices.”
This right states that companies should provide clear descriptions of “what personal data they collect, why they need the data, how they will use it, when they will delete it, and whether and for what purposes they may share personal data with third parties.” This information should be made available at times and places where it is must useful for the consumer to gain a meaningful understanding of privacy risks and the ability to exercise self-control.
- Respect for Context: “Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.”
This right states that companies should “limit their use and disclosure of personal data to those purposes that are consistent with both the relationship that they have with consumers and the context in which consumers originally disclosed the data.” Should a company decide to use or sell such information for purposes outside of the established context, the company should be especially transparent about its use of the data by “disclosing these other purposes in a manner that is prominent and easily actionable by consumers at the time of data collection.”
- Security: “Consumers have a right to secure and responsible handling of personal data.”
This right states that companies should “assess the privacy and security risks associated their personal data practices” and in turn “maintain reasonable safeguards” to prevent loss of data, unauthorized access or modification, and improper disclosure.
- Access and Accuracy: “Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.”
This right states that companies should use “reasonable measures to ensure they maintain accurate personal data” and should “provide consumers with reasonable access to personal data that they collect” as well as the “appropriate means and opportunity to correct inaccurate data or request its deletion or use limitation.”
- Focused Collection: “Consumers have a right to reasonable limits on the personal data that companies collect and retain.”
This right states that companies should “collect only as much personal data as they need” to accomplish the purpose of the website. Companies should also “securely dispose of or de-identify personal data once they no longer need it.”
- Accountability: “Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.”
This right states that companies should be “accountable to enforcement authorities and consumers for adhering to these principles.” Companies also should “hold employees responsible for adhering to these principles.” To achieve this, the report advises that companies should “train their employees to handle personal data in a matter consistent with these principles” and, where appropriate, “conduct full audits.” For companies that disclose personal data to third parties, the report states that they should, at a minimum, “ensure that the recipients are under enforceable contractual obligations to adhere to these principles.”
Multistakeholder Process to Develop Codes of Conduct
To implement the principles enshrined in the CPBR, the Administration recommends and encourages that a broad coalition of actors come together under the direction of the Department of Commerce’s National Telecommunications and Information Administration (“NITA”). The Administration views the multistakeholder processes as a way for interested parties to develop and then adapt codes of conduct that “protect consumers’ privacy as technologies and market conditions change.” Such open and transparent processes are extolled by the Administration because they “provide the flexibility, speed, and decentralization necessary to address Internet policy changes.” The Administration specifically calls out “individual companies, industry groups, privacy advocates, consumer groups, crime victims, academics, international partners, State Attorneys General, Federal civil and criminal law enforcement representatives, and other relevant groups” to be a part of the multistakeholder process.
The report defines the multistakeholder process it envisions in terms of three principal stages. The first stage of the process is deliberation. With the assistance of NITA stakeholder groups are to identify “markets and industry sectors that involve significant consumer data privacy issues.” NITA will then work to enlist the participation of stakeholders to “develop an enforceable code of conduct.” Once interested parties are convened, NITA is responsible for ensuring that stakeholders work together to resolve any differences that may arise. A code of conduct that “reflects the agreement of all stakeholders” is then ready for companies to consider adopting.
The second stage of the process is adoption. The report states that once a code of conduct has reached completion, companies to which the code is relevant may choose to adopt it. The Administration relies on Section 5 of the FTC Act to make a company’s public commitment to adhere to a code of conduct enforceable.
The third stage of the process is evolution. The Administration states that a key goal of the multistakeholder process is to “enable stakeholders to modify privacy protections in response to rapid changes in technology, consumer expectations, and market conditions.” The report states that individual stakeholders can at any time decide that a code of conduct is no longer relevant. In addition, NITA can also come to the conclusion that a code is in need of revision and seek to re-convene stakeholders in a new deliberation process. The report emphasizes that a code of conduct is a voluntary agreement that may not be revised directly by the federal government.
Notably, a code of conduct related to the “Do Not Track” mechanism has been created through a procedure similar in nature to the Administration’s ideal multistakeholder process. Following efforts spearheaded by the Digital Advertising Alliance, the FTC and the Commerce Department, all four major Internet browser developers and many of the leaders of the online advertising business agreed to implement ‘do not track” policies. Such policies will allow individuals to tell websites (via an HTML header) that they do not want their web browsing activity “tracked,” that is, reported back to third-party services that collect the information for advertising and other purposes.
Recommendations for Effective Enforcement
The third element of the new privacy framework consists of establishing enforcement mechanisms that ensure privacy commitments made by companies are meaningful. The Administration first explains that under current law the FTC has authority to enforce the commitments of companies to adhere to codes of conduct developed through the multistakeholder process. Nonetheless, the Administration recommends that Congress pass legislation that adopts the CPBR and grants the FTC and State Attorneys General specific authority to enforce each of its elements.
Beyond its appeal for statutory codification, the Administration further recommends that Congress create a provision that gives the FTC the authority to grant a “safe harbor” (defined as forbearance from enforcement of the statutory CPBR) to companies that follow a code of conduct that the FTC has reviewed and approved.
The Administration stresses that a federally enacted CPBR should “provide a national standard for protecting consumer data” that creates “certainty for companies and consistent protections for consumers.” The Administration thus requests that Congress ensures that any enacted legislation preempts inconsistent state laws.
The Administration also voices support for preserving existing sector-specific federal data privacy laws that effectively protect personal data. Such existing privacy laws generally establish legal obligations that are tailored to the sensitivity of the data associated with a specific industry, such as healthcare or banking. To avoid “duplicative regulatory burdens,” the Administration supports exempting companies from any newly enacted privacy legislation, to the extent that “their activities are subject to existing Federal data privacy laws.” However, activities within such companies “that do not fall under an existing data privacy law” would still be covered by the new privacy legislation recommended by the Administration.
Finally, the Administration recommends the adoption of a national standard that requires companies to notify consumers of unauthorized disclosures of personal data. While almost all states currently have independently-created security breach notification laws, the creation of a single standard would eliminate a significant burden on companies that have to comply with the current patchwork of state laws.
Promoting International Interoperability
The Administration states that the two principles that underlie its approach to achieving interoperability are mutual recognition and enforcement cooperation. The Administration states that mutual recognition depends on the existence of effective enforcement and well-defined accountability mechanisms. To achieve this, the Administration recommends the international adoption of multistakeholder processes because of their ability to develop scalable and flexible codes of conduct that “simplify companies’ compliance obligations.” Enforcement cooperation, in turn, will ensure that countries are able “to protect their citizens’ rights when personal data crosses national boundaries.”
Critical Reception to the Framework
While the Administration’s privacy framework is still in its infancy, the framework appears to have been met with subdued optimism. Time states that the most “remarkable” element of the new framework is that it has not been greeted with outrage from Silicon Valley companies, who have previously opposed similar privacy legislation efforts led by the California State Senate. However, Time also posits that one of the main reasons why technology companies have so far been optimistic about the new framework is because it is “just a policy outline” that “will be sent to a Congress that isn’t likely to touch it anytime soon.”
Technology companies also appear to view the framework as an opportunity to participate in ongoing discussions about the future of privacy legislation. This is perhaps because of the framework’s focus on multistakeholder decision making processes, which encourage the full involvement of all affected parties. Participating in such privacy discussions allows companies to “be at the table and help shape solutions,” says Jules Polonetsky, director of the Future of Privacy Forum. Technology companies can therefore ensure that the ultimate legislation adopted can be feasibly implemented. At the same time, companies that take part in this privacy discussion can reassure their users that privacy is an issue that they pay attention to and take seriously.
Technology public interest groups have also expressed general optimism towards the framework. The Electronic Frontier Foundation has stated that it believes the Administration’s “user-centered approach to privacy protection” is a “solid one.” The Center for Democracy and Technology “welcome[d] the Administration’s unveiling,” stating that it supports the report’s “call for the development of consensus rules on emerging privacy issues to be worked out by industry, civil society, and regulators.”
Some commentators, however, have expressed concerns about the new privacy framework. A Forbes op-ed authored by Adam Thierer highlights that “no matter how well-intentioned regulation proposals may be, they can often have unforeseen, unintended consequences.” The author expresses concern that a government-led approach to establish privacy protection will result in a “heavy-handed, innovation-killing model of information control on the Internet.” Other commentators have lamented the fact that technology companies will be able to exert so much influence in the future of privacy legislation, calling the framework : “toothless” and “misguided,” while others argue that it doesn’t focus on the most pressing issues.
While it is too early to tell for certain, President Obama’s new privacy framework appears to usher forward a new discussion about digital privacy rights. The process of ultimately adopting new online privacy norms will likely entail significant efforts by interested parties both on and off Capitol Hill. It is encouraging that the Administration’s framework has sought to ensure that this process involves a wide variety of affected parties in a transparent, inclusionary process. By incentivizing technology companies to come forward and participate in the creation process, the resulting legislation should provide additional consumer protection without stifling the development of future activities on the web.
It should be noted, however, that in order for the Administration’s proposed framework to truly work as intended, all of the parties involved must remain diligently committed to privacy reform for the long term. This will require an effort by consumers to become more knowledgeable and aware of their online privacy rights and expectations. Clear and easy to understand privacy policies and proposals, such as the Administration’s new CPBR, will be essential in making this a reality.