The Obama Administration’s release last month of a framework for protecting online privacy ranks among the most significant efforts to address privacy concerns in the short history of the information age.
The framework’s centerpiece is a “Consumer Privacy Bill of Rights” (.pdf). As discussed on Foley Hoag's Security, Privacy, and the Law blog, the Bill of Rights articulates seven broad, flexible, and forward-looking principles that should be able to accommodate the ever-changing nature of online privacy challenges:
Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.
Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
Security: Consumers have a right to secure and responsible handling of personal data.
Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
The Administration gets a lot right in its framework. It recognized the need for its leadership in brokering a privacy deal between Internet businesses and consumer privacy advocates, and it responded with a broad framework that benefited both. Consumers obtain greater privacy protections, while companies derive a clear and consistent understanding of consumer expectations, the respect of which engenders consumer trust required to promote the growth of Internet companies.
The Bill of Rights requires a close connection between the reason for data’s collection and its ultimate use—and when that connection is not there, it requires transparency so that a consumer can control that use. As a set of values to be promoted across industry privacy efforts, the Bill of Rights is a resource for companies as much as a source of rights for consumers.
The second plank in the Administration’s framework melds self-regulation with government regulation by calling upon the Department of Commerce to spearhead a multi-stakeholder process to develop issue- and industry-specific codes of conduct. While participation in the codes of conduct is entirely voluntary, the codes will be enforceable by the Federal Trade Commission under its authority to prevent deceptive acts and practices. It remains to be seen just how many companies will be willing to sign up for this hybrid approach to regulation.
The wider framework includes other planks that vary greatly in quality and utility. The Administration’s call on Congress to enact legislation codifying the principles embedded in the Bill of Rights and expanding upon them with content derived from the individual codes of conduct sounds like a good idea in principle, but it runs the risk of freezing what are meant to be constantly evolving codes as of the moment the law is enacted. Given that partisan gridlock in Washington appears to be here to stay, the flexible approach to regulating online privacy embodied in the Bill of Rights seems better suited to keeping regulation up to date with the unremitting pace of online innovation.