Part 2: Notice, Consumer Control, and Context
Yesterday we brought you the first part in DWT’s series analyzing the Obama Administration’s proposed Consumer Privacy Bill of Rights, which would require greater transparency by businesses in their privacy practices, and grant individuals certain rights and controls over how businesses collect, use and share personal information. Part 1 examined how the proffered bill of rights defines personal data, its de-identification provisions, and its retention requirements.
In this post, we look at the proposal’s notice, consumer choice and control, and context requirements.
The proposal would require a covered entity to provide accurate, clear, timely and conspicuous notice to individuals about the entity’s privacy and security practices. The notice would have to be in concise and easily understandable language, be “reasonable in light of context,” and include extensive information regarding the entity’s personal data collection, use, retention, disclosure, and security practices and purposes.
The President’s proposal appears to have incorporated the Federal Trade Commission’s past suggestions that companies should use flexible and innovative methods to provide consumers with concise notice, particularly in the Internet of Things (IoT) space. Unfortunately the notification provision in the proposal here is troublingly vague and gives covered entities very little guidance on how to actually give sufficient notice. First, the proposal gives no suggestion as to what the terms “concise and easily understandable” mean, and does not address how a covered entity could both comply with the provision and still draft a “concise” notice that is legally protective. Indeed, the proposal appears to give no legal protection against claims that an otherwise concise and easily understandable notice left out certain terms that should have been included. Second, what is “reasonable in light of context” is also not well defined (discussed below). Third, the President’s proposal does not state the manner in which covered entities would have to provide notice to consumers. This could create a serious compliance problem, as entities that must provide notice would not have any clear indication that their notice process actually conforms to the proposal’s terms.
While the proposal may have been intended to give covered entities flexibility in deciding exactly how to notify consumers, the uncertainty here is more likely to make compliance in this area ripe for regulatory enforcement actions.
Under President Obama’s proposal, covered entities would have to give individuals reasonable means to control the processing of their personal data, subject to certain enumerated exceptions. Such means of control would include but not be limited to: providing methods to give and withdraw individual consent, correct inaccuracies, permit or restrict data access, or other otherwise determine and implement individuals’ privacy preferences. Consumer controls would have to be in proportion to the privacy risk and “consistent with context.”
The proposal’s choice and control provisions mirror many of the legislative recommendations made in the Federal Trade Commission’s 2014 Data Brokers Report, including giving consumers greater access to and control over their information. Yet the proposal, as currently written, would apply these controls far beyond data brokers to include nearly every business that deals with personal data (with some exceptions).
Many of the obligations for covered entities – including both the notice and control requirements – as well as the scope of individual protections are qualified by the term “context.” For instance, the proposal puts additional duties on covered entities that process personal data “in a manner that is not reasonable in light of context.” Such additional duties include conducting privacy risk analyses, and mitigating identified risks through heightened transparency and individual controls designed to allow persons to reduce privacy risk exposure.
The proposal broadly defines “context” as the circumstances surrounding the processing of personal data, which includes but is not limited to:
- The extent, frequency, nature and history of the covered entity’s interactions with individuals;
- The level of understanding that the covered entity’s reasonable users would have of how the covered entity processes personal data ;
- The privacy preferences of individual users known by the covered entity;
- The types of personal data foreseeably processed as a business record, or used to provide or market goods or services that an individual requests from the covered entity; and
- The age and sophistication of the covered entity’s users.
The definition and application of “context,” as currently drafted, seems awkward and unwieldy, and might make it more challenging for covered entities in defending against regulatory enforcement. Many of the proposal’s major duties and exceptions depend upon what is or is not reasonable in context, yet the bill’s language apparently leaves reasonability in the eye of the beholder. What is reasonable in certain contexts for a covered entity may not seem reasonable to an enforcing agency.