Today the White House released its long-awaited Privacy Report in which it unveiled a Consumer Privacy Bill of Rights intended to provide consumers with greater online privacy protection, and establish a blueprint for implementing the Bill of Rights through voluntary codes of conduct, federal legislation, and enforcement by the FTC and state Attorneys General.

On the same day, the Digital Advertising Alliance announced "it will immediately begin work to recognize browser-based choices with a set of tools by which consumers can express their preferences under the DAA Principles."  According to the White House press release, this means leading Internet companies and online advertising networks will comply when consumers try to control online tracking by using already-existing web browser settings.

The Bill of Rights, which provides a modern expansion of the traditional Fair Information Practice Principles (FIPPs), seeks to bring America more in step with how Europe, Canada and other jurisdictions with more mature privacy frameworks protect their citizens' rights to privacy, while preserving flexibility for businesses in how to most effectively implement them.

The next step is for the Commerce Department to convene stakeholders - including companies, privacy and consumer advocates, technical experts, international partners, and academics - to develop and implement a set of voluntary codes of conduct based on the Bill of Rights.  The Report urges stakeholders to participate in this process so that they have a say in the development of context-specific codes of conduct.

A White House fact sheet also states that the Administration will work with Congress to enact legislation that embodies the Bill of Rights, in the belief that federal legislation would "increase legal certainty for companies, strengthen consumer trust, and bolster the United States' ability to lead consumer data privacy engagements with our international partners."

Consumer Privacy Bill of Rights

The Bill of Rights consists of seven fundamental protections that consumers should expect from companies:

  • Individual Control:  Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.
  • Transparency:  Consumers have a right to easily understandable information about privacy and security practices.
  • Respect for Context:  Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
  • Security:  Consumers have a right to secure and responsible handling of personal data.
  • Access and Accuracy:  Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
  • Focused Collection:  Consumers have a right to reasonable limits on the personal data that companies collect and retain.
  • Accountability:  Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

Federal Legislation

The Report calls on Congress to codify the Consumer Privacy Bill of Rights.  This new federal law should:

  • Allow the FTC and state Attorneys General to enforce the law directly (there is no mention of a private right of action).
  • Pre-empt state privacy laws that are inconsistent with the Consumer Privacy Bill of Rights.
  • Avoid prescribing technology-specific means of complying with the law's obligations.
  • State companies' obligations under the Consumer Privacy Bill of Rights with greater specificity than the Bill of Rights provides.
  • Establish a safe harbor from enforcement for companies that adhere to voluntary codes of conduct that the FTC has reviewed and adopted.
  • Set a national standard for security breach notification.