At Senate Commerce Committee hearing on "The Need for
Privacy Protections: Perspectives from the Administration and the Federal Trade
Commission" Tuesday, the Obama administration's perspective is clear. It
plans to press Congress for legislation codifying the privacy Bill of Rights
it proposed last fall.
Those rights were billed at the time as voluntary codes of
conduct that could start applying ASAP, but the White House also said it wanted
those eventually enshrined in law. Industry players applauded the voluntary
part -- the legislation, not so much.
According to the prepared testimony of Cameron Kerry,
Commerce General Counsel and a lead exec in drawing up the bill of privacy
rights, the administration message is clear: "We ask Congress to give the
Consumer Privacy Bill of Rights the force of law."
That includes codifying the eight basic principles in the
bill: Individual Control, Transparency, Respect for Context (data used
consistent with context in which consumers provided it), Security, Access and
Accuracy, Focused Collection ("reasonable limits") and Accountability
(appropriate safeguards for data collection).
Kerry argues that those voluntary principles need to be made
part of any baseline privacy legislation and enforceable by the Federal Trade
"These changes can begin without legislation," he
says in his testimony, "but the Administration urges Congress to
strengthen baseline privacy protections for consumers and to support continued
consumer trust in the digital economy by codifying the Consumer Privacy Bill of
Rights as part of baseline commercial privacy legislation."
Kerry also says he recognizes that the Commerce Committee
has a history of avoiding technical mandates, but that the principles are
sufficiently broad not to be overly prescriptive. For example, he says,
"legislation should not impose unnecessary burdens on all businesses to
address a privacy concern that is relevant only to a subset of companies."
Getting the FTC involved through statute would be a way for
the government to enforce the "voluntary" principles on those who do
not volunteer. Those who do volunteer and violate that pledge could already be
subject to FTC sanction via its false and deceptive practices, but that would
not apply to those who had not pledged anything.
"Granting direct enforcement authority to the FTC would
enable the Commission to take action against outliers and bad actors,"
says Kerry, "even if their actions do not violate a published privacy
policy so as to constitute a deceptive practice or act."