Recent and pending mandates by the federal government will directly impact every company that collects or uses consumer data online. The privacy policies for all interactive web sites and mobile apps, included those owned by currently-regulated companies, will require dramatic reassessment in a way that will certainly change the online business model.
The Obama Administration has released its Consumer Privacy Bill of Rights for web users, which serves as the framework for its larger plan, "Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy." The Administration's action is intended to establish a basic, universal bill of privacy rights for consumer web users regarding how their data is collected and used online. Although surprising to some in its scope, the Privacy Bill of Rights and related plan were developed with industry input, and leading technology companies have already agreed to voluntarily follow its provisions.
The Commerce Department's National Telecommunications and Information Administration ("NTIA") will shortly convene industry representatives and consumer advocates to develop "enforceable codes of conduct" consistent with the Privacy Bill of Rights. At the same time, the Administration will work with Congress to "enact comprehensive privacy legislation" based on the Privacy Bill of Rights.
The Privacy Bill of Rights addresses individual control of personal data by the consumer, most notably the industry-wide adoption of Do Not Track technology developed by the World Wide Web Consortium (the "do-not-track button"), and the development and implementation of dynamic, industry-specific enforceable codes of conduct, which will be agreed upon by companies collecting personal data online and enforced by the Federal Trade Commission (the "FTC"). Google, Yahoo!, Microsoft, and AOL have already made this FTC-enforceable commitment.
Notably, "personal data" of a consumer includes any data that may be linked to a specific consumer (including aggregate data) or a specific computer or device (including tablets and smartphones). The seven stated rights are as follows:
- Individual control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it;
- Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices;
- Respect for context: Consumers have a right to expect that companies will collect, use and disclose personal data in ways that are consistent with the context in which consumers provide the data;
- Security: Consumers have a right to secure and responsible handling of personal data;
- Access and accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and risk of adverse consequences to consumers if the data is inaccurate;
- Focused collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain; and
- Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to ensure that they adhere to the Consumer Privacy Bill of Rights.
This action by the Administration comes amid a growing clamor by consumers and consumer advocates regarding the rapidly increasing use of personal data (both in volume and type of usage), by search, social media and other interactive websites. The recent New York Times article on "How Companies Learn Your Secrets" and the use of predictive analytics by Target and other companies raises issues on social responsibility for corporate America. [http://www.nytimes.com/2012/02/19/magazine/ shopping-habits.html] Although industry practice has long been to post website privacy policies regarding the collection and use of personal data online, such policies universally grant the site owner the ability to change the policy at any time. Some consumer advocates consider the privacy policies worthless in that regard and even "unfair" or "abusive" to the consumer.
The Privacy Bill of Rights comes on the heels of recent developments on a variety of fronts including: current pending federal legislation incorporating privacy by design (PbD), a paradigm shift that requires privacy to be built directly into the business structure (including technology specifications, networking, and business practices); Congress' consideration of privacy hearings regarding Google's impending privacy policy changes; Google's announcement that they will implement a do-nottrack button; agreements by Google, Apple, Hewlett-Packard, Microsoft, and Research in Motion with the California state attorney general to extend the applicability of the Californian Online Privacy Act to mobile apps; and the FTC's pending revision of regulations regarding the Children's Online Privacy Protection Act; and previous settlements by the FTC with Google, Facebook and Twitter. The Privacy Bill of Rights (including FTC enforcement) focuses on the actual practice of collecting and using personal data online, without regard to the type of industry or transaction at issue. These evolving requirements will almost certainly apply to industries whose privacy practices are already highly-regulated, including financial services companies (under the Gramm- Leach-Bliley Act, the Fair Credit Reporting Act, and implementing regulations) and health care companies under the Health Insurance Portability and Accountability Act. The Obama Administration contemplates legislation that would preserve sectorspecific laws that protect data and minimize duplicate legal obligations by recognizing commonly accepted information practices and ensuring they are well-tailed to the context in which they occur (e.g. health information sharing among a patient's health care providers).
Although the terms of the Privacy Bill of Rights are fairly broad and are enforceable only against companies that have voluntarily agreed to them, these terms will soon lead to industry standards, "codes of conduct," and potentially sweeping legislation. Companies that collect any type of personal data online should assess their privacy policies in light of the evolving requirements, including review by regulated companies of how these requirements will impact their current compliance efforts. Business models, practices and infrastructure will likely be impacted significantly. Keep in mind that the FTC and state attorney generals have and use their enforcement authority against companies within their respective jurisdictions that act in an unfair or deceptive manner, including failure to follow one's own privacy policies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.