On February 23, 2012, the White House issued a press release on its plan to protect consumer privacy on the Internet through a “Consumer Privacy Bill of Rights.” This proposal is part of a larger goal to adopt comprehensive consumer data privacy in the Internet age, as well as bring the United States into conformity with similar privacy principles that are currently enforced throughout the world. This new “Bill of Rights” would increase the protection of individual privacy rights, give users more control over how their information is handled, and allow for new legal tools to protect against misuse of information.
The Consumer Privacy Bill of Rights would apply to all “personal data,” meaning “any data, including aggregations of data, that is linkable to a specific individual.” The newly developed rights include the right to control how personal data is used, the right to avoid having information collected in one context and then used for an unrelated purpose, the right to have information held securely, and the right to know who is accountable for the use or misuse of an individual’s personal data.
The Consumer Privacy Bill of Rights adopts seven general guiding principles for future rule-making and legislation:
- Individual Control. Consumers are entitled to be presented with clear choices about personal data collection, use and disclosure, including the ability to withdraw or to limit consent and companies should be required to offer these clear choices. Internet and online advertising companies including Google, Yahoo!, Microsoft, and AOL, in response to calls from the Administration and the FTC, have already taken a positive step in this direction through their commitments to use Do Not Track technology from the World Wide Web Consortium (This technology relies on information in the HTTP header to signal that the Internet user does not want to be tracked by online advertisers and sites. On most web browsers the preference can be set in the “options” or “preferences” pane by checking a box marked “Tell web sites I do not want to be tracked.”)
- Transparency. Consumers have a right to know the scope of information collected, how it is used, when it is deleted, and whether it is shared with third parties and companies should clearly disclose this information.
- Context. Companies should be cognizant of the age and sophistication of the consumer and how these factors relate to the use and disclosure of personal data. Use and disclosure should be commensurate with these factors.
- Security. Companies should maintain safeguards to control improper disclosure of consumer data, data loss, and unauthorized access.
- Access and Accuracy. Companies should provide consumers with reasonable access to their personal data and the ability to correct data, request its deletion, or limit its use.
- Focused Collection. Companies should collect only as much personal data as needed to further appropriate purposes. Once collected data is no longer needed, it should be deleted or de-identified.
- Accountability. Companies should conduct full audits where appropriate, and companies that disclose personal data to third parties should ensure that these third party recipients are also under the enforceable obligations of the Consumer Privacy Bill of Rights.
The Commerce Department’s National Telecommunications and Information Administration (NTIA) plans to convene Internet companies and consumer advocates to develop enforceable codes of conduct that comply with the Consumer Privacy Bill of Rights. These codes of conduct would be enforceable by the Federal Trade Commission (FTC). In addition, the Administration intends to work with Congress to enact comprehensive privacy legislation that would provide the FTC and State Attorneys General with specific authority to enforce the Consumer Privacy Bill of Rights.
While stressing the importance of strict FTC regulation, the Administration also recognized that any legislation or guidelines regulating Internet privacy must be sufficiently flexible to adapt to the ever-changing technology world.