At the end of February, the White House released a “discussion draft” of its Consumer Privacy Bill of Rights (CPBR). The objective of the bill is to “establish baseline protections for individual privacy in the commercial arena and to foster timely, flexible implementations of these protections through enforceable codes of conduct developed by diverse stakeholders.”
Forty-five days after President Obama appeared at the Federal Trade Commission (FTC) to outline his administration’s intentions, the bill was released. According to the draft, industries would be responsible for developing codes of conduct for data privacy standards and implement privacy review boards that would be overseen by the FTC.
The CPBR also asks businesses to be transparent about their data practices in “concise and easily understandable language.” Consumers should also have a means to see, correct and delete personal data held by companies, and those same businesses should not sell personal data to third parties in ways that would surprise consumers.
While President Obama has identified himself as a proponent for privacy rights, the CPBR comes a full three years after I was first proposed. Much like the initial draft released in 2012, the most recent document adheres to the following principles:
- Individual Control – Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.
- Transparency – Consumers have a right to easily understandable and accessible information regarding privacy and security practices.
- Respect for Context – Consumers have a right to expect that companies will collect, use and disclose personal data in ways that are consistent with the context in which consumers provide the data.
- Security – Consumers have a right to secure and responsible handling of personal data.
- Access & Accuracy – Consumers have a right to access and correct personal data in usable formats, in a manner appropriate to the sensitivity of the data and risk of adverse consequences to consumers if the data in inaccurate.
- Focused Collection – Consumers have a right to reasonable limits on the personal data that companies collect and retain.
- Accountability – Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
Meaningful Privacy Protections?
While the CPBR won some support from IT incumbents and trade organizations, it unsurprisingly garnered criticism from organizations all over the political spectrum. Tech companies like Microsoft celebrated the proposed bill. Chief Privacy Officer Brendon Lynch commented that the hopes the CPBR will “kick-start a much needed conversation about how to protect people’s personal information … [and help] build trust and foster innovation.”
Future of Privacy Forum (FPF) co-chairs Jules Polonetsky and Christopher Wolf said:
“International data regulators should recognize that this bill is not a critique of the current system but the opening of a nuanced conversation that seeks to balance benefit and risk, while being considerate of consumer rights.”
On the other side, according to the Center for Democracy and Technology’s director of consumer privacy Justin Brookman, the law “has too many loopholes and doesn’t provide for meaningful enforcement,” adding that it is at least encouraging that the President is attempting to advance privacy issues.
John Simpson, privacy project director for Consumer Watchdog – a non-profit organization advocating consumer rights reform in the US said, “The bill envisions a process where industry will dominate in developing codes of conduct…. [However] the bill is full of loopholes and gives consumers no meaningful control of their data.”
The CPBR leans heavily on a “multi-stakeholder” process to develop codes of conduct that would provide companies that adopt such codes a “safe harbor” from enforcement. It would also pre-empt stronger state laws, causing some states that currently have more stringent consumer data privacy policies in place to replace them with the weaker federal legislation.
Senator Ed Markey (D-MA), currently releasing privacy legislation of his own said that the bill:
“…falls short of what is needed to ensure consumers and families are squarely in control of their personal data… instead of codes of conduct developed by industries that have historically been opposed to strong privacy measures, we need uniform and legally enforceable rules that companies must abide by and consumers can rely upon.”
According to other privacy advocates, the bill does not grant the FTC appropriate authority. Jeffrey Chester, Executive Director for the Center for Digital Democracy said the bill:
“…fails to give the FTC, the country’s key privacy regulator, ‘rule-making’ authority to craft reasonable safeguards and actually empowers the companies that now harvest our mobile, social, location, financial and health data, leaving them little to fear from regulators.”
While it is unlikely that the bill will be legislative, the concerns and issues that it does raise will have an impact on the privacy debate. It brings to light the importance of context in data usage, risk-benefit analysis and the consideration of privacy review boards, which are important in the discussion of consumer privacy.
This article discusses the White House’s latest draft Consumer Privacy Bill of Rights (CPBR), which comes three years after it was first proposed.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, as well as the Certified Information Privacy Professional/ US Government (CIPP/G) exam, a privacy professional should be comfortable with topics related to this post, including:
- Technologies with privacy impacts (CIPP/IT; VI.)
- Privacy as a core value in US government (CIPP/G; I..A.b.i.)
- US public and private sector information privacy laws (CIPP/G; I.B.)