Compliance officers looking for more guidance on consumer privacy—as if you don't have enough laws and guidance on privacy already—now have it, thanks to a fresh set of privacy standards published by the Obama Administration in February.
The standards are voluntary, but they do spell out several core principles that may presage stronger federal action on consumer privacy sometime in the future. They also go further than many state laws, in that they apply to companies that until now may have escaped many existing privacy regulations.
The standards are in a paper titled, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” In its current state, the paper essentially offers a wish list “to guide Congress as they seek to implement comprehensive privacy legislation,” says David Almeida, a partner with law firm Sedgwick.
Still, the guidance could set a standard for acceptable privacy practices and play a role in how vigorously government agencies enforce other regulations. For example, companies that abide by the framework could earn lighter penalties from the Federal Trade Commission or state attorneys general when they run afoul of existing data privacy rules.
The framework lays out a “Consumer Privacy Bill of Rights,” comprised of seven core principles designed to help guide companies with their privacy policies and decisions. These principles include:
Individual control. Companies would be expected to let consumers choose how their personal data is collected and used by providing easy-to-use mechanisms that reflect the “scale, scope, and sensitivity” of the data being collected.
Transparency. Companies would be expected to describe what personal data they collect, for what reason, how they will use it, how long they plan to keep it, and whether and for what purposes they will share the data with third parties.
Respect for context. Companies must provide “heightened measures of transparency and individual choice” if, after collecting data, they decide to use it for purposes inconsistent with the original context under which it was collected.
Security. Companies must assess their data collection and protection practices, and maintain reasonable safeguards to control risks of loss, unauthorized access, and improper disclosure.
Access and accuracy. Companies must use reasonable measures to ensure that they maintain accurate personal data.
Focused collection. Companies would be expected to collect only as much personal data as they need.
Accountability. Companies would have accountability to enforcement authorities if they do not establish or abide by appropriate policies and practices that ensure adherence to the Consumer Privacy Bill of Rights.
On a practical level, companies should re-examine the disclosures they are making to consumers in light of the new standards, says Paul Bond, a partner with law firm Reed Smith. “Are you doing everything you say you're doing in terms of protecting their information, or getting their consent before using it for something new?” he asks.
Another issue raised by the framework is whether companies are properly communicating how they intend to use the data they collect. “Is what I plan to do with this person's information something that would surprise the person based on the context of how I got their information and what I told them when I collected it?” Bond says. “If it would be a surprise, you have to think long and hard about whether you're allowed to do it and whether you need to get additional consent.”
“Transparency is the lynchpin. You want to make sure that consumers don't feel like there is a 'gotcha' moment, where something wasn't disclosed.”
—David Almeida,
Partner,
Sedgwick
Almeida agrees. “Transparency is the lynchpin,” he says. “You want to make sure that consumers don't feel like there is a ‘gotcha' moment, where something wasn't disclosed.”
Ultimately, the Obama Administration hopes to strengthen consumer privacy protections by working with Congress to develop federal legislation to codify the Consumer Privacy Bill of Rights and extend privacy requirements to industries that historically have escaped stringent regulation, such as advertising and technology companies.
Specifically, the white paper expands the definition of “personal data” to mean any information—including aggregated data—that can be linked to a specific individual, including data that can be linked to a specific computer or other device. Any third party that collects and uses data to deliver tailored advertising to users, for example, must restrict the use of that data to market research and product development purposes only.
To that end, Bond suggests that companies should first ensure they have privacy policies and procedures in place. That means having written documents that affirm a company's commitment to protect information and meet consumer and counter-party expectations, he says.
Exercise adequate oversight of third-party providers, including appropriate contractual language. Almeida recommends that companies not only include indemnification clauses in their third-party contracts, but also consider whether that third-party has data breach insurance to ensure that it has the means to respond to a breach.
TRANSPARENCY RULES
The following excerpt from the White House's data privacy framework explains the rules around transparency:
TRANSPARENCY: Consumers have a right to easily understandable and accessible information about privacy and security practices.
At times and in places that are most useful to enabling consumers to gain a meaningful understanding of privacy risks and the ability to exercise individual control, companies should provide clear descriptions of what personal data they collect, why they need the data, how they will use it, when they will delete the data or de-identify it from consumers, and whether and for what purposes they may share personal data with third parties.
Plain language statements about personal data collection, use, disclosure, and retention help consumers understand the terms surrounding commercial interactions. Companies should make these statements visible to consumers when they are most relevant to understanding privacy risks and easily accessible when called for.
Personal data uses that are not consistent with the context of a company-to-consumer transaction or relationship deserve more prominent disclosure than uses that are integral to or commonly accepted in that context. Privacy notices that distinguish personal data uses along these lines will better inform consumers of personal data uses that they have not anticipated, compared to many current privacy notices that generally give equal emphasis to all potential personal data uses. Such notices will give privacy-conscious consumers easy access to information that is relevant to them. They may also promote greater consistency in disclosures by companies in a given market and attract the attention of consumers who ordinarily would ignore privacy notices, potentially making privacy practices a more salient point of competition among different products and services.
In addition, companies should provide notice in a form that is easy to read on the devices that consumers actually use to access their services. In particular, mobile devices have small screens that make reading full privacy notices effectively impossible. Companies should therefore strive to present mobile consumers with the most relevant information in a manner that takes into account mobile device characteristics, such as small display sizes and privacy risks that are specific to mobile devices.
Finally, companies that do not interact directly with consumers—such as the data brokers discussed above—need to make available explicit explanations of how they acquire, use, and disclose personal data. These companies may need to compensate for the lack of a direct relationship when making these explanations available, for example by posting them on their websites or other publicly accessible locations. Moreover, companies that have first-party relationships with consumers should disclose specifically the purpose(s) for which they provide personal data to third parties, help consumers to understand the nature of those third parties' activities, and whether those third parties are bound to limit their use of the data to achieving those purposes. This gives consumers a more tractable task of assessing whether to engage with a single entity, rather than trying to understand what personal data third parties—potentially dozens, or even hundreds—receive and how they use it. Similarly, first parties could create greater transparency by disclosing what kinds of personal data they obtain from third par¬ties, who the third parties are, and how they use this data. This level of transparency may also facilitate the development within the private sector of innovative privacy-enhancing technologies and guidance that consumers can use to protect their privacy.
Source: White House.
In the white paper, the Administration said it does not intend to alter existing federal sector-specific privacy laws—such as those affecting healthcare, telecommunications, and financial services. It does, however, recommend that future data privacy federal legislation pre-empt conflicting state laws that establish less stringent privacy standards.
Absent federal legislation (and when Congress might act on this priority is anyone's guess), the Administration has called for an immediate “multi-stakeholder process”—made up of companies, industry and privacy groups, and federal and state enforcement agencies—to develop voluntary codes of conduct based on the Consumer Privacy Bill of Rights. To the extent that a company agrees to adopt an industry code of conduct and then violates that policy, it could face prosecution under Section 5 of the FTC Act for deceptive practices.
Define ‘Voluntary'
So why would any company agree to adopt a code of privacy conduct? Stuart Ingis, executive director of the Digital Advertising Alliance, says that consumers are beginning to demand better data privacy protections. “Businesses want to do right by their consumers, and give them good transparency and good choices,” which is evidence enough as to why companies will step forward, he said.
Even if a company doesn't agree to an industry code, it may still face prosecution under the FTC. “Essentially, the industry's codes of conduct, one way or another, will be used to measure the conduct of industry participants,” Bond says.
During a press call, FTC Chairman Jon Leibowitz acknowledged that many companies already have begun to “step up to the plate and protect consumer privacy.”
Already, some companies are reacting to the standards. Following announcement of the Obama Administration's initiative, Internet giants Google, Yahoo, Microsoft, and AOL all agreed to implement a “Do-Not-Track” option on their browsers, enabling users to opt out of being tracked across Websites for profiling or behavioral advertising purposes. These companies also have voiced their support of the Administration's efforts.
“Consumer trust is vital to the growth of a vibrant Internet, and respect for privacy—putting people first—is essential to earning and maintaining that trust,” says Fred Humphries, vice president of U.S. government affairs for Microsoft. “The Administration's policy promotes an environment of transparency and meaningful privacy choices. Further, we are hopeful that the policy's establishment of a robust stakeholder dialogue will lead to more specific solutions and help overcome challenges faster.”
Sen. Patrick Leahy, D-Vt. and chairman of the Senate Judiciary Committee, is urging the Senate to take up the “Personal Data Privacy and Security Act,” a comprehensive data privacy bill he introduced last year. The Judiciary Committee approved the bill in September, but it has not come up for a vote in the full Senate.
Leahy's bill would establish a single nationwide standard for data breach notification and require that companies that have databases with sensitive personal information to establish and implement data privacy and security programs. Leahy said the FTC report “highlights the need for Congress to finally enact this necessary legislation.” But will Congress deadlocked on a number of issues, it's unlikely any comprehensive data privacy legislation has any chance of passing both chambers, at least not before November elections.
No comments yet