The White House will push Congress to put
legislative muscle behind an online privacy bill of rights, but in the meantime
will push industry to adopt those principles voluntarily. That would allow the
Federal Trade Commission to go after anyone who makes and breaks that pledge as
having engaged in an unfair and deceptive practice.
Separately,
the Digital Advertising Alliance, which includes the major advertising
associations, has committed to a browser-based do-not-track option that will
allow Web users to opt out of behavioral advertising and would be respected
across those participating in DAA's self-regulatory program,
which Stu Ingis, DAA General Counsel, said Wednesday is about 90% of
businesses.
The
browser-based option is still an opt-out, rather than opt-in mechanism, for Web
surfers. But those who opted out would be preventing "most" data that
would otherwise be collected, says Ingis, with narrow carve-outs for fraud
protection.
The
White House in statement said that "nearly" 90% of the companies
responsible for delivering online behavioral advertising had committed to using
the browser-based do-not-track technology including Google, Yahoo!, Microsoft,
and AOL. DAA says that it is targeting 9 months for
standard language and "user experience" for the opt-out mechanism
across all participating browsers.
Both
those announcements are coming officially Thursday at a white House privacy
briefing, according to administration officials, regulators and industry
representatives in a White House briefing with reporters in advance of that
event.
The
Federal Trade Commission has long pushed the browser-based approach. FTC
Chairman Jon Leibowitz praised the industry for the announcement, though he did
not suggest it was a solution to online privacy. "This is not the end, and
may not be the beginning of the end, but this is a big step," he said told
reporters.
Leibowitz
said that what he is seeing is "a lot for forward progress by industry." He
said that was a good thing for consumers and their privacy.
At
the event Thursday, the White House will officially endorse the Commerce
Department recommendation of a privacy Bill of Rights consisting of seven
principles (see below). That recommendation is the final work product of a
Commerce green paper on privacy issued in Dec. 2010.
The
goal is to both protect U.S. consumers and to make
it easier for Internet companies to do business internationally, where there
have been concerns about U.S. privacy policies.
"The Administration's plan lays the groundwork for increasing interoperability
between the U.S. data privacy framework
and those of our trading partners," the White House said late Wednesday.
White House Deputy Chief Technology Officer Daniel Weitzner
told reporters that the White House did not think self-regulation solved the
entire problem-given that not all businesses have to step and sign on. "For us,
the blueprint that is the consumer privacy bill of rights will give us a basis
for engaging with Congress and encouraging them to develop legislative
protections."
He said it was a complicated legislative challenge. Commerce
Secretary John Bryson said that they would work with Congress to implement
legislation, but would move forward regardless. "We cannot wait," he said.
Congress is unlikely to be able to pass comprehensive privacy legislation
before those legislators turn to reelection efforts.
Here
is the "Privacy Bill of Rights," as outlined by the White House and backed by
the President:
1.
INDIVIDUAL CONTROL: Consumers have a right to exercise control over what
personal data companies collect from them and how they use it. Companies
should provide consumers appropriate control over the personal data that
consumers share with others and over how companies collect, use, or disclose
personal data. Companies should enable these choices by providing
consumers with easily used and accessible mechanisms that reflect the scale,
scope, and sensitivity of the personal data that they collect, use, or
disclose, as well as the sensitivity of the uses they make of personal
data.
Companies
should offer consumers clear and simple choices, presented at times and in ways
that enable consumers to make meaningful decisions about personal data
collection, use, and disclosure. Companies should offer consumers means
to withdraw or limit consent that are as accessible and easily used as the
methods for granting consent in the first place.
2.
TRANSPARENCY: Consumers have a right to easily understandable and
accessible information about privacy and security practices. At times and
in places that are most useful to enabling consumers to gain a meaningful
understanding of privacy risks and the ability to exercise Individual Control,
companies should provide clear descriptions of what personal data they collect,
why they need the data, how they will use it, when they will delete the data or
de-identify it from consumers, and whether
and for what purposes they may share personal data with third parties.
3.
RESPECT FOR CONTEXT: Consumers have a right to expect that companies will
collect, use, and disclose personal data in ways that are consistent with the
context in which consumers provide the data. Companies should limit their
use and disclosure of personal data to those purposes that are consistent with
both the relationship that they have with consumers and the context in which
consumers originally disclosed the data, unless required by law to do
otherwise. If companies will use or disclose
personal data for other purposes, they should provide heightened Transparency
and Individual Control by disclosing these other purposes in a manner that is
prominent and easily actionable by consumers at the time of data
collection. If, subsequent to collection, companies decide to use or
disclose personal data for purposes that are inconsistent with the context in
which the data was disclosed, they must provide heightened measures of
Transparency and Individual Choice. Finally, the age and familiarity with
technology of consumers who engage with a company are important elements of
context. Companies should fulfill the obligations under this principle in
ways that are appropriate for the age and sophistication of consumers. In
particular, the principles in the Consumer Privacy Bill of Rights may require
greater protections for personal data obtained from children and teenagers than
for adults.
4.
SECURITY: Consumers have a right to secure and responsible handling of
personal data. Companies should assess the privacy and security risks
associated with their personal data practices and maintain reasonable
safeguards to control risks such as loss; unauthorized access, use,
destruction, or modification; and improper disclosure.
5.
ACCESS AND ACCURACY: Consumers have a right to
access and correct personal data in usable formats, in a manner that is
appropriate to the sensitivity of the data and the risk of adverse consequences
to consumers if the data is inaccurate. Companies should use reasonable
measures to ensure they maintain accurate personal data. Companies also
should provide consumers with reasonable access to personal data that they
collect or maintain about them, as well as the appropriate means and
opportunity to correct inaccurate data or request its deletion or use
limitation. Companies that handle personal data should construe this
principle in a manner consistent with freedom of expression and freedom of the
press. In determining what measures they may use to maintain accuracy and
to provide access, correction, deletion, or suppression capabilities to
consumers, companies may also consider the scale, scope, and sensitivity of the
personal data that they collect or maintain and the likelihood that its use may
expose consumers to financial, physical, or other material harm.
6.
FOCUSED COLLECTION: Consumers have a right to reasonable limits on the
personal data that companies collect and retain. Companies should collect
only as much personal data as they need to accomplish purposes specified under
the Respect for Context principle. Companies should securely dispose of
or de-identify personal data once they no longer need it, unless they are under
a legal obligation to do otherwise.
7.
ACCOUNTABILITY: Consumers have a right to have personal data handled by
companies with appropriate measures in place to assure they adhere to the
Consumer Privacy Bill of Rights. Companies should be accountable to
enforcement authorities and consumers for adhering to these principles.
Companies also should hold employees responsible for adhering to these
principles. To achieve this end, companies should train their employees
as appropriate to handle personal data consistently with these principles and
regularly evaluate their performance in this regard. Where appropriate,
companies should conduct full audits. Companies that disclose personal
data to third parties should at a minimum ensure that the recipients are under
enforceable contractual obligations to adhere to these principles, unless they
are required by law to do otherwise.
