The White House recently unveiled a significant and comprehensive Consumer Privacy Bill of Rights that, if adopted as law, will have major impact on advertisers, agencies, Internet companies and consumers. The Obama Administration (the Administration) is raising the bar on this measure in an area where Congress has struggled in order to provide consumers with greater online privacy protection through voluntary codes of conduct, federal legislation, and enforcement by the Federal Trade Commission (FTC) and state Attorneys General. The measure also supports a federal national standard for notification of data breaches and preemption of the patchwork of existing state law standards.
On the same day as the February 23 Bill was unveiled, the White House, Department of Commerce and FTC each commended the Digital Advertising Alliance (DAA) for its self-regulatory privacy program for online, interest-based advertising. Also on that day, the DAA announced an industry self-regulatory program “that will immediately begin work to recognize browser-based choices with a set of tools by which consumers can express their preferences under the DAA Principles.” Major Internet players such as Google and Microsoft agreed to honor consumer do-not-track choices, a particularly significant development given that those players represent the majority of online behavioral advertising delivery and given that such a commitment is subject to FTC enforcement.
The White House said the “blueprint will guide efforts to protect privacy and assure continued innovation in the Internet economy by providing flexible implementation mechanisms to ensure privacy rules keep up with ever-changing technologies.” The action steps for this blueprint are:
- Making Enforceable the Consumer Privacy Bill of Rights: The Commerce Department’s national Telecommunications and Information Administration (NTIA) will soon convene Internet companies and consumer advocates to develop enforceable codes of conduct that comply with the Consumer Privacy Bill of Rights, building on strong enforcement by the FTC. The Administration will also work with Congress to enact comprehensive privacy legislation based on the rights outlined here.
- Achieving privacy policies for a Global, Open Internet: The Administration’s plan lays the groundwork for increasing interoperability between the U.S. data privacy framework and those of U.S. trading partners.
- Industry Action: In response to calls from the Administration and the FTC, leading Internet companies and online advertising networks are committing to use Do Not Track technology from the World Wide Web Consortium in most major web browsers to make it easier for users to control online tracking.
Seven Fundamental Protections
According to the White House press release, the Bill of Rights consists of seven fundamental protections that consumers should expect from companies:
- Individual Control: Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.
- Transparency: Consumers have a right to easily understandable information about privacy and security practices.
- Respect for Context: Consumers have a right to expect that organizations will collect, use and disclose personal data in ways that are consistent with the context in which consumers provide the data.
- Security: Consumers have a right to secure and responsible handling of personal data.
- Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
- Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
- Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
Federal Privacy Legislation
The White House Report, ambitiously titled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” calls for Congress to enact legislation to:
- Codify the Consumer Privacy Bill of Rights;
- Grant the FTC and state Attorneys General authority to enforce the law directly;
- Pre-empt state privacy laws that are inconsistent with the Consumer Privacy Bill of Rights;
- Establish a safe harbor from enforcement for companies that adhere to voluntary codes of conduct that the FTC has reviewed and adopted; and
- Set a national standard for security breach notification that pre-empts existing laws in 47 states.