What a Difference a Week Makes: A New Framework for Protecting Privacy

Was it just last week when we shared lots of gloom and doom about the state of US privacy? Who could have predicted that so much would change so quickly.

On February 23, the White House released Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy which includes a Consumer Privacy Bill of Rights.

The Consumer Privacy Bill of Rights provides a baseline of clear protections for consumers and greater certainty for businesses. The rights are:

  • Individual Control: Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.
  • Transparency: Consumers have a right to easily understandable information about privacy and security practices.
  • Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
  • Security: Consumers have a right to secure and responsible handling of personal data.
  • Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
  • Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
  • Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

The Administration said enacting the Consumer Privacy Bill of Rights through Federal legislation would increase legal certainty for companies, strengthen consumer trust, and bolster the United States’ ability to lead consumer data privacy engagements with our international partners. Even if Congress does not pass legislation, the Consumer Privacy Bill of Rights will serve as a template for privacy protections that increase consumer trust on the Internet and promote innovation.

In addition to the Bill of Rights, the Administration’s privacy policy framework includes:

  • Fostering Multistakeholder Processes to Develop Enforceable Codes of Conduct: The Administration’s framework outlines a multistakeholder process to produce enforceable codes of conduct that implement the Consumer Privacy Bill of Rights. The Administration will convene open, transparent forums in which stakeholders who share an interest in specific markets or business contexts will work toward consensus on appropriate, legally enforceable codes of conduct. Private sector participation will be voluntary and companies ultimately will choose whether to adopt a given code of conduct. The participation of a broad group of stakeholders, including consumer groups and privacy advocates, will help to ensure that codes of conduct lead to privacy solutions that consumers can easily use and understand. A single code of conduct for a given market or business context will provide consumers with more consistent privacy protections than is common today, when privacy practices and the information that consumers receive about them varies significantly from company to company.
  • Strengthening Federal Trade Commission Enforcement: FTC enforcement is critical to ensuring that companies are accountable for adhering to their privacy commitments. Enforcement is also critical to ensuring that responsible companies are not disadvantaged by competitors who would play by different rules. As part of consumer data privacy legislation, the Administration encourages Congress to provide the FTC (and State Attorneys General) with specific authority to enforce the Consumer Privacy Bill of Rights.
  • Improving Global Interoperability: The Administration’s framework embraces the goal of increased international interoperability as a means to provide consistent, low-barrier rules for personal data in the user-driven and decentralized Internet environment. The two principles that underlie our approach to interoperability are mutual recognition and enforcement cooperation. Mutual recognition depends on effective enforcement and well-defined accountability mechanisms. Multistakeholder processes can provide scalable, flexible means of developing codes of conduct that simplify companies’ compliance obligations. Enforcement cooperation helps to ensure that countries are able to protect their citizens’ rights when personal data crosses national boundaries. These approaches will guide United States efforts to clarify data protections globally while ensuring the flexibility that is critical to innovation in the commercial world.

In the coming months, the Department of Commerce will work with other Federal agencies to convene stakeholders, including our international partners, to develop enforceable codes of conduct that build on the Consumer Privacy Bill of Rights.

The Administration also announced that coalition of Internet giants including Google has agreed to support a do-not-track button to be embedded in most Web browsers—a move that the industry had been resisting for more than a year. The companies have agreed to stop using the data about people's Web browsing habits to customize ads, and have agreed not to use the data for employment, credit, health-care or insurance purposes. But the data can still be used for some purposes such as "market research" and "product development" and can still be obtained by law enforcement officers. The do-not-track button also wouldn't block companies such as Facebook Inc. from tracking their members through "Like" buttons and other functions.

Much of the reaction to the Administration’s action has been positive:

  • “The Administration would seek implementation of a Consumer Privacy Bill of Rights by way of enforceable Codes of Conduct that would be derived through a collaborative process involving multiple stakeholders,” said privacy expert Lisa Sotto. “But the Administration does not put its faith entirely in the stakeholders to implement the Bill of Rights through Codes of Conduct; the Administration also calls for legislation to enact the Bill of Rights into law, as well as stronger FTC enforcement authority.”
  • Chris Wolf, the co-chair of the Future of Privacy Forum, echoed those comments, saying this is a “co-regulation” model, and one that he believes will help the U.S. address privacy in an era of changing technological innovation. In a statement, Wolf said he hopes lawmakers in Europe will look to this same model as a potential one for regulation.
  • Privacy advocate Justin Brookman, of the Center for Democracy and Technology, also said in a statement that the announcement is a step in the right direction. He gave the advertising industry credit for voluntarily implementing “do not track” technology” in web browsers.
  • The ACLU called it an "important first step. Day by day, we live more of our lives online, shopping, managing bank accounts and communicating with friends and family," said ACLU legislative counsel Christopher Calabrese. "It's crucial that the information we share is properly safeguarded. It's very encouraging to see the Obama administration making this issue a priority. Americans need clear and distinct policies in place when it comes to the kind of access law enforcement and private companies have to their online information."
  • Consumers Union (which published Consumer Reports) and Consumer Federation of America said the announcement signaled progress toward more consumer control of online data collection and use. "By including a Consumer Privacy Bill of Rights, the government is emphasizing the importance of transparency, individual control, and the ability to access and correct personal information, and recognizes there may be a need to for heightened protections for children and teens on the Internet," the groups said.

Of course, there’s also been questions about whether the policies and agreements will work. “Do not track” buttons have been a mixed bag in the past because while they have let advertisers know that users don’t want to be followed across the Web, not all advertisers had agreed to abide by the request. The “Do not track” buttons should appear on your computer screen soon. But, then, it will all come down to how we define “track.” “If you ask the typical consumer, what do you think it means to track, they would probably say well, if the company is following me around and looking at what I'm doing, that's tracking,” says Carnegie Mellon University professor Lorrie Cranor. “But, the industry says, well, there are a lot of times that we need to follow you around and look at what you're doing in order to provide services you want and need. Like, if you're on a retailer and you put stuff in your shopping basket, we need to know that. So, we're not going to call that tracking. And then they have a whole list of things that they say we're not going to call tracking. And, depending on whether you're a consumer or whether you're Facebook or Google or a retailer, you probably have different interests in what should be tracking and what's not tracking.”

There’s also been talk that the deal is just a big win for the industry. “The White House announcement is a huge victory for Google on privacy,” said Jeff Chester, executive director of the Center for Digital Democracy. Cecilia Kang writes in the Washington Post that Silicon valley was nervous about more stringent policies. Across the country in Washington, federal lawmakers were proposing legislation that could have crippled the efforts of Web companies to collect consumer data that is crucial to selling advertisements online. After a year of negotiations, the White House unveiled privacy guidelines for these firms that urged them to install “do not track” technology on browsers but fell short of requiring it. Tech giants, in particular Google, breathed a sigh of relief. They would agree to curb some tracking activities, but it would largely be on their terms and wouldn’t hobble their cash cow.

Writing for paidContent.org, Jeff Roberts says that, for now, the lack of details in the grand privacy announcements means it is unclear when (or if) consumers will be able to turn of behavioral tracking entirely. But in the short term, the “Privacy Bill of Rights” is a political winner for both President Obama and for the tech companies with which he is ideologically and financially allied. More specifically, it allows the President to appear out front on the privacy debate at a time when Republicans also want to make political hay out of the issue. For the Internet companies, the announcement will permit them at least a partial reprieve as they lobby to minimize regulatory oversight. Their ability to do so is shrinking, though, as other political actors continue to step into the privacy arena.

Politico’s Michelle Quinn writes that what the industry gains is valuable: It buys time to show lawmakers it can create and implement a credible new system for responding to consumer concerns about being tracked online. In exchange, companies may avoid a federal law mandating a Do Not Track system.

The Administration’s action comes on the heels of, well, Congressional inaction on online privacy. Congress has been mulling general online privacy laws for longer than Google and Facebook have been dot-coms. But none has passed muster. There are several reasons for the absence of a broad online privacy law in the U.S., although the European Union has passed strict protections on how companies can collect and use consumer data, and U.S.-based companies have to comply with these laws in the EU. Just as technological advances have made it easier for companies like Google to track people online, they have also allowed firms to prosper by offering an ever-expanding list of cool, convenient ways for people to share data and get information. When it comes to data privacy, a lot of people would say they are for it in the abstract. But most of them would also have to admit that they’re willing to trade their privacy in exchange for the ability to look up the nearest Italian restaurant or stay in touch with their high school friends. In addition, political parties have gotten into the game, using the latest tools from Facebook, Google, Twitter and other online companies to try to help candidates win elections. Some of these tools help target voters, raise campaign funds and spread a candidate’s message. Finally, there is concern that federal privacy legislation would harm tech companies and the advertising industry if it’s not carefully crafted.

Congress’ response to the White House announcement has been measured. Reps. Joe Barton (R-Texas) and Ed Markey (D-MA) vowed to pushed ahead with their "Do Not Track Kids Act" despite voluntary commitments from Web companies. Rep Markey called the Administration’s privacy framework "an important starting point." “Consumers, not corporations, should be in control of personal information. Voluntary, self-regulatory efforts are not a substitute for laws that keep consumers information safe from prying eyes." House Manufacturing and Trade Subcommittee Chairman Mary Bono Mack (R-CA) said “any rush-to-judgment could have a chilling effect on our economy and potentially damage, if not cripple, online innovation.” She promised hold a hearing next month on the White House's Privacy Bill of Rights. Senate Commerce Committee Chairman Jay Rockefeller (D-WV) promised to “closely monitor implementation of the new industry effort to make sure that consumer expectations are, in fact, being met.”

In addition to the federal action this week, there was also considerable developments at the state level. First, California Attorney General Kamala D. Harris (D-CA) announced an agreement with Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research in Motion to strengthen privacy protections for smartphone owners who download mobile applications. The agreement will force developers to post conspicuous privacy policies detailing what personal information they plan to obtain and how they will use it. It also compels app store providers like Apple and Google to offer ways for users to report apps that do not comply. Technology firms, as part of the agreement, said they would educate app developers about consumer privacy and “disclose to consumers what private information they collect, how they use the information and with whom they share it.” The tech firms also committed to creating online tools making it easier for consumers to report apps that are not compliant with state law.

At the same time, dozens of state attorneys general wrote Google’s chief executive to express “strong concerns” that the company’s new privacy policies – slated to go into effect March 1 -- will violate consumer privacy. They said the plan to begin sharing consumer data across Google’s “forces these consumers to allow information across all of these products to be shared, without giving them the proper ability to opt out.” The law enforcement officials said users may want to keep their Web searching history separate from information they get from Gmail or YouTube. But for users signed on to those services, that data will be blended by the search giant to serve up ads better tailored to users preferences. “It rings hollow to call their ability to exit the Google products ecosystem a ‘choice’ in an Internet economy where the clear majority of all Internet users use — and frequently rely on — at least one Google product on a regular basis,” the state attorneys general wrote to Page. And they said the costs to switch e-mail and document applications could be enormous for businesses and government offices that use Google apps. They requested a meeting with Page to explain the privacy policies and an answer to their letter by Feb. 29. The letter was signed by, among others, Maryland attorney general Douglas Gansler, California’s Kamala Harris and New York’s Eric Schneiderman.

On February 22, the Center for Digital Democracy petitioned the Federal Trade Commission for a ruling on whether Google's announced change in privacy policy violates its consent decree with the FTC over Google Buzz. CDD says users are still not sufficiently informed about the company's digital advertising and marketing practices, which it says are at the heart of the proposed changes. CDD says it has made informal inquiries and submissions, but is now making a formal request for an investigation, and asked the FTC to request that Google postpone the change until that investigation is complete.

Of course, the White House privacy announcement did not occur in a bubble. There’s been great concern about protecting personal information online. At the end of the day, wrote Dominic Basulto in the Washington Post, Web firms need your data for essentially two reasons: (1) to deliver a more personalized experience for users or (2) to sell this data to advertisers and third parties. Thus far, we’ve given companies like Google a free pass, taking them at their word that they are not somehow “evil,” that they are, indeed, delivering a superior, personalized experience. The answer to privacy break-ins is not more government regulation of the Web, as several Congressmen are now urging after Google's latest privacy-related woes. Rather, the answer is making it easier for individuals to monitor and self-police their Web presence. Safari needs to be a final wake-up call: We all need to be more vigilant about what data is being shared, with whom it is being shared, and where.

The latest on online privacy is just one of three big stories we tracked this week. Check out our wrap up of the Spectrum Provisions in the Middle Class Tax Relief Act and a look at what critics are saying about the Verizon/cable company spectrum sale.

Here’s a quick look at next week’s agenda. We’ll see you in the Headlines.