But the issue has not gone away. Apple, Google, Facebook, Path, UPromise, and others have all suffered embarrassing public relations setbacks as a result of the exposure of certain of their practices relating to the collection and use of user information.
In the meantime, the Obama Administration has shifted its focus to a (mostly) non-legislative solution to the perceived need for more robust protection of consumers’ online privacy. On February 23, 2012, the Obama administration published A Consumer Privacy Bill of Rights The Consumer Privacy Bill of Rights provides for industry self-regulation coupled with the prospect of government enforcement in the event that industry fails to do the things that it claims it will do. It would apply to “personal data,” broadly defined as any data that can be linked back to an individual.
The seven principles enshrined in the Consumer Privacy Bill of Rights are as follows:
- “Consumers have a right to exercise control over what personal data companies collect from them and how they use it.” This principle would require that consumers be given an appropriate measure of control over the personal data that companies collect and use. The control mechanisms should be simple and be commensurate with the scope and sensitivity of the data being collected.
- “Consumers have a right to easily understandable and accessible information about privacy and security practices.” This principle would require clear and meaningful disclosures of the types of date collected, why the data is needed, how it will be used, and whether and for what purpose it might be shared with third parties.
- “Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provided the data.” Pursuant to this principle, companies should limit their use and disclosure of data to purposes that are consistent with the relationship that the company has with the consumer, and the context in which the data was disclosed.
- “Consumers have a right to secure and responsible handling of personal data.” This principle imposes an obligation on companies to handle personal data in a responsible manner and to maintain reasonable safeguards against loss, unauthorized access, or disclosure.
- “Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.” This concept would require that, at least with respect to certain kinds of sensitive data, companies should permit consumers to view information that has been archived about them and allow consumers to make corrections to that data.
- “Consumers have a right to reasonable limits on the personal data that companies collect and retain.” Under this theory, companies should only collect as much data as they need to accomplish the disclosed purpose of their data collection and should delete the data when it is no longer necessary.
- “Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.” This provision would require training of employees and accountability to enforcement authorities in the event of noncompliance with the principles embedded in the Consumer Privacy Bill of Rights.
Although the substantive provisions of the Consumer Privacy Bill of Rights are very general, the document contains some clues as to the administration’s priorities among the specific provisions of the final codes of conduct. Nevertheless, the text of the report foreshadows some of the specific rules that appear to be important to the administration:
- It appears likely that changes to browser technology (something akin to Firefox’s “private browsing” tool) may play an important role. Major online players such as Google and the Digital Advertising Alliance were involved in the drafting of the document and the publishers of the major browsers have apparently agreed to honor consumers’ “do not track” selections.
- On0e of the seven basic principles focuses on accessibility to information and the ability of consumers to correct mistakes.Many collectors of online data currently do not provide either of those capabilities, so it will be interesting to see in what direction the discussion moves on that topic.
- The “individual control” discussion, a discussion of the complexities presented by third party aggregators of data, must be addressed. These third party aggregators may have no direct relationship with consumers, and include those who search publicly available sources of data for the purpose of building profiles of individuals. These entities currently are not within the reach of privacy regulations, but the focus on that model suggests that they may be within the reach of the new standards.