Part 5: Accountability

This week we have brought you a multi-part series analyzing the Obama administration’s proposed Consumer Privacy Bill of Rights  (“CPBR” or “proposal”), which would require greater transparency by businesses in their privacy practices, and grant individuals certain rights and controls over how businesses collect, use and share personal information. Part 1 examined how the CPBR defines personal data, its de-identification provisions, and its retention requirements. Part 2 examined its notice, control and context requirements. Part 3 reviewed the commercial and non-commercial entities that would be subject to the proposal (i.e., “covered entities”), and Part 4 reviewed its data security requirements.

In this post, we look at the accountability measures that covered entities would be required to take to ensure compliance with the CPBR.

Affirmative obligation to adopt privacy by design

Privacy by design” is an approach to privacy management that calls for privacy protections to be built into the design of a company’s information technology systems, business practices, and infrastructure, and factored into each stage of product and service development.  The underlying theory is that privacy measures are most effective if they are proactive components of a system from the start, rather than reactive measures after the fact.  The concept has been widely embraced in proposed guidelines for privacy frameworks, including the FTC’s recommendations for businesses and policymakers issued in 2012.  Guidelines, however, are merely recommendations, so the call for companies to adopt privacy by design has thus far been discretionary.

The CPBR seeks to change that, creating an affirmative obligation for covered entities to build “appropriate consideration for privacy and data protections into the design of its systems and practices . . . .”  This obligation is presented in the CPBR as a measure to hold covered entities accountable for compliance with its provisions.  The vagueness of the measure makes it difficult to see how it could achieve that end, however.  As a standard, “appropriate consideration” is a moving target, and with the exception of a few specific measures discussed below, the CPBR does not specify criteria for building privacy into systems and practices.  Accordingly, as written, it is unclear how compliance with the measure would be assessed, or how it could be enforced.

Specific accountability measures

The CPBR would also require covered entities to: (1) provide training to employees who handle personal data; (2) conduct internal or external privacy assessments; and (3) “bind[] any person to whom the covered entity discloses personal data” to use the data consistently with the entity’s commitments and obligations under Title I of the CPBR.

If these accountability measures sound familiar, it is probably because they are fairly standard components of existing privacy programs, and commonly found in privacy best practices and guidelines.  It may also be because employee training, periodic audits, and contractual limitations on third parties are common features of consent decrees settling FTC enforcement actions alleging unfair or deceptive practices with respect to the privacy and security of consumer data.  The CPBR would take them out of the remedial context, and make them affirmative and continuing obligations.  Notably, despite this apparent nod to the FTC’s judgment with respect to procedural measures that foster accountability, the FTC has expressed concern that the CPBR does contain sufficient privacy safeguards.  Indeed, during a session at the IAPP Global Privacy Summit on Thursday, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, described the CPBR as “a step backwards.”