Obama’s Consumer Data Privacy Bill of Rights: Effective Self-Regulation, or White House-Endorsed Loopholes?

Wednesday, March 28th, 2012 at 2:11 pm, by Crystal Mao

When it comes to online privacy, the Internet’s biggest stars have attracted the most hostility.  Last month, Google admitted that it has been avoiding Apple’s privacy settings in order to track user data on iOS devices.  Also, after numerous user complaints, Facebook reached a settlement with the FTC over charges that its privacy practices were “unfair and deceptive.”   In an age where behavioral data collection enables (for example) retailers to discover consumer pregnancies long before family members, user tracking and privacy has become a scrutinized issue for legislation, litigation and public debate.

A Bill of Rights for User Privacy

To address the ongoing tension between consumer privacy and companies’ insatiable appetite for data, on February 22 the White House released its widely anticipated consumer privacy proposal, designed to give consumers greater control over the way their personal data is handled on the Internet.  Existing online privacy protections come from a hodge-podge of sources, including industry best practices, FTC recommendations, corporate privacy officers and a patchwork of state and federal statutes specific to sectors such as healthcare, education, communications, financial services and children.  The White House’s proposal aspires to create a more uniform Federal regime that “extend[s] baseline protections to the sectors that existing federal statutes do not cover” and to serve as a “blueprint for privacy in the information age.”

The crux of the proposal features a Consumer Privacy Bill of Rights that provides for the following seven rights:

  • Individual Control: Consumers have a right to easily understandable information about privacy and security practices.
  • Transparency: Consumers have a right to easily understandable information about privacy and security practices.
  • Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
  • Security: Consumers have a right to secure and responsible handling of personal data.
  • Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
  • Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
  • Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights

Implementation: Voluntary Self-Regulation Triggers FTC Enforcement

While the White House did an admirable job of articulating consumer interests, critics have noted that the proposal falls short in the areas of implementation and enforcement.  To implement the proposal, the White House report calls for a self-regulated, “multistakeholder” adoption process in which government officials, industry representatives,  privacy advocates and other interested parties will work together to develop federally endorsed codes of conduct based on the Consumer Privacy Bill of Rights.  This multi-disciplinary process is designed to mimic the collaborative processes used by private organizations such as W3C, IETF and ICANN to develop technical standards for the Internet.

Once drafted, these codes of conduct will remain voluntary and will not bind companies unless companies choose to adopt them.  Companies may adopt separate codes applicable to different contexts or data and (with notice) may change their codes over time to adapt to shifting circumstances.  However, a company’s public commitment to adhere to a code of conduct will become enforceable under § 5 of the FTC Act (15 U.S.C. § 45), similar to how companies today are bound by their public privacy policies.

By avoiding advocacy of specific regulatory or technical requirements, the White House hopes to prevent “fragment[ing] the global market for information technologies and services” and follows the FTC’s preference for self-regulation in this sector.  To incentivize companies to participate, the report proposes that FTC investigations or enforcement actions based on conduct covered by a code of conduct consider a company’s adherence to such code favorably.  If a legislative scheme codifying the Consumer Privacy Bill of Rights is passed, companies that have adopted a code of conduct will also be granted forbearance from statutory enforcement.

The online advertising industry has encouraged the White House’s self-regulatory approach, citing fears that restrictive privacy policies could slow venture capital investment, innovation and job growth.  Nonetheless, some lawmakers are skeptical that privacy can be self-regulated by companies that make a living collecting user data.

“It’s terrific that the advertising industry plans voluntarily to strictly and honestly comply with Americans’ wishes not to be tracked. But voluntary compliance does not replace the need for a new law,” Sen. John Kerry said. As an alternative to self-regulation, Sen. Kerry has co-sponsored a bill with Sen. John McCain that codifies aspects of the White House’s proposal.

Do Not Track: A Harbinger of What Is to Come?

As part of the White House’s privacy announcement, a coalition of prominent web and media companies (including Google, Yahoo and AOL) organized as the Digital Advertising Alliance (DAA) agreed to support “Do Not Track” technology in web browsers.

The FTC advocated Do Not Track two years ago under an implementation plan that also relied on self-regulation.  In theory, Do Not Track gives users a browser button that, when toggled, sends websites an HTTP header signaling this preference. While the White House and the FTC praised the DAA’s support for the plan, do not track’s problematic path to adoption represents a warning to the White House about the pitfalls of asking companies to voluntary commit to privacy regulation.

First, voluntary commitment means that privacy becomes subject to industry-created exceptions and conditions.  The commitment that the DAA made to Do Not Track is weaker and more nuanced than what has been recommended by the FTC and the W3C and will not stop tracking users who opt out.  In fact, the DAA has indicated that its members will continue to collect user data for purposes such as market research, product development and law enforcement.

Furthermore, until the DAA’s recent support for a watered-down version of Do Not Track, the FTC’s non-mandatory recommendations were ignored for years by industry.  Google and other current DAA members publicly opposed the FTC’s plan and actively lobbied against a California bill that would have made it law.    Even now, large players like Facebook are noticeably not supporting Do Not Track, meaning that users who elect at the browser-level not to receive targeted ads will still be tracked through Facebook “like” buttons and other functions.  The opaque exceptions and lack of universal participation makes it difficult for users to understand what is being tracked and what is not, leading to a false sense of security for users who think they have opted out of all tracking.

If the White House is not careful, its Consumer Privacy Bill of Rights, while well-intentioned, may ultimately have a lose-lose-lose effect.  Users will be placated into thinking that they have more control over privacy, while web companies continue collecting browser data under self-authored codes that are watered down with loopholes.  Meanwhile, FTC investigations of privacy breaches by companies that implement watered-down codes of conduct will be more difficult, since these companies will qualify for the White House’s proposed presumption of favorability.  To avoid this outcome, the White House should take a stronger stance in ensuring that the privacy plan’s resultant codes of conduct are universally adopted and true to the privacy rights described in its current proposal.