This year, the Obama administration is expected finalize the blueprint for a new U.S. privacy “framework” governing business practices that involve the collection, use, and sharing of consumers’ personal data online. The plan is expected to guide federal policymakers as they struggle with the challenge of protecting consumers’ privacy in the Internet age.
In December 2010, the Department of Commerce published a preliminary proposal calling for a set of basic principles, or a “privacy bill of rights,” to serve as the foundation for commercial data privacy protection in the United States. The Department of Commerce is now seeking input from the public, including on the question of whether there is a need for federal legislation to enforce such principles. Comments are due on January 29, 2011 and are expected to assist the White House’s Privacy and Internet Policy Subcommittee in preparing a final policy document – most likely a white paper. The main purpose of the project appears to be to arm Congress with as much information as possible before it examines privacy this year, no doubt a significant item on their 2011 agenda.
Extremely controversial – the Federal Trade Commission is also weighing privacy proposals such as a “do-not-track” mechanism, potentially allowing consumers to avoid having their online activities followed by advertisers. The government initiatives come at a time when key lawmakers are calling for the enactment of comprehensive federal privacy legislation and, overall, 2011 may shape up to be a watershed year for online privacy policies.
The Department’s proposal was prepared by its Internet Policy Task Force, following an earlier inquiry, and was outlined in a document entitled a “green paper.” A similar paper on cybersecurity could be released by early spring. The agency is also expected to issue papers on copyright protection and the global free flow of information. In summary, the privacy paper called for the U.S. government to take certain steps to nudge businesses toward adoption of a full set of “fair information practice” principles, such as clearly articulating why data is being collected, committing to data use limitations based on specified purposes, and submitting to privacy audits as an accountability measure. Department officials have referred to the these principles as a “privacy bill of rights.”
The Department of Commerce has proposed the creation a Privacy Policy Office within the agency to help translate the principles into industry best practices. The new office, which is expected to be set up this year, will lead the development of voluntary, enforceable codes of conduct for designated industries, working in collaboration with the FTC. The Department has made it clear that it believes the office to be necessary because it does not truly believe there is an adequate sense of urgency in developing these codes of conduct. The Department believes that the new office will encourage the private sector to develop conduct codes more rapidly by bringing stakeholders together to persuade them of the validity of a new framework. Pursuant to the Department’s proposal, the FTC would play a part in developing conduct codes and would also be responsible for enforcing them. A company’s voluntary commitment to a code would be enforceable by the commission.
Compliance could serve as a safe harbor for firms facing complaints about their privacy practices. In fact, the Department’s report vaguely appears to be supportive of industry self-regulation, which is altogether more favorable than prescriptive legislation. Of course, consumer advocacy groups believe that the proposal does not go far enough – that the Department’s role is to protect business, not consumers. It should be expected in the weeks and months ahead that the consumer advocacy community will be looking to Congress and the FTC, rather than the Department of Commerce, to establish strong consumer privacy policies.
Among other legislative options, the Department of Commerce is considering whether the FTC requires expanded powers. The FTC’s ability to enforce a code is currently limited to cases where a particular company has promised to comply. In the meantime, the Department’s “green paper” does recommend and call for certain narrow legislative measures, including nationally consistent data security-breach notification rules and a review of the Electronic Communications Privacy Act for the “cloud computing” environment.
As we enter 2011, there is no single federal law governing the protection of consumer data in the United States. Instead, there is a patchwork of federal and state privacy regulations, industry best practices, and self-regulatory standards. A key area of concern for policymakers has been the emergence of behavioral advertising – the practice of tracking consumers’ Internet activities in order to deliver targeted ads. In an effort to avoid prescriptive federal regulation, leading marketing groups have launched what is considered to be the industry’s largest self-regulatory program. The effort involves the use of a universal symbol to help the industry with making its data-collection practices more transparent to Internet users, as well as a central web page allowing consumers to opt-out of such practices. The Council of Better Business Bureaus (CBBB) and the Direct Marketing Association are expected this year to begin monitoring compliance.
Meanwhile, the FTC is weighing other solutions. In December, the FTC published a staff report, recommending a draconian “do-not-track” mechanism for the Internet. The document is intended to aid policymakers, including Congress, and to provide information regarding industry best practices and self-regulatory efforts. Similar to the Department of Commerce paper, the FTC report proposed a new U.S. privacy framework, while stopping short of calling for privacy legislation.
One thing seems certain – a legislative solution will surely be “provided” if the industry does not step up to the plate. While much of the attention has focused on the “on/off switch,” otherwise knows as the “do-not-track” proposal, the FTC’s report contained several other recommendations that represent a shift from the Commission’s traditional thinking on privacy. The FTC staff report really calls for somewhat of a restructuring in the way that privacy is handled. Under the FTC’s proposed framework, companies would need to improve their privacy policies and provide choices to consumers in a simpler, more streamlined way. In addition, the proposal calls for firms to build privacy protections into their everyday business practices—a privacy by design approach. In theory, the foregoing aspect of the FTC’s report may indeed be much more significant than the Commission’s do-not-track proposal in that the privacy-by-design mandate affects every business in every industry sector.
Both agency reports are groundbreaking in that they attempt to develop a new model for privacy in the United States, based on an expanded set of fair information practice principles. The current U.S. model relies heavily on a “notice and choice” approach. The FTC and the Department of Commerce have proposed adding other principles, such as limiting data collection to specified business purposes. While the FTC couched it as privacy by design and the Department of Commerce called it a “privacy bill of rights,” the reality is that they are both considering the same thing. While the FTC has long been active in the privacy arena, the Department of Commerce had been dormant on the issue for years, until now. In fact, the Department of Commerce has suddenly and decisively become proactive on this issue, not just domestically, but internationally. That now means that there are two agencies that will be focused on privacy issues, albeit from different perspectives.
The FTC is an enforcement body that focuses on domestic consumer protection. The Department of Commerce is a facilitator of U.S. business interests globally. As the Department of Commerce has increased its focus on privacy, the agency has worked very closely with the FTC.
Lastly, on the international front, a key goal for the Department of Commerce in 2011 will be pushing a privacy initiative launched by members of the Asia Pacific Economic Cooperation. APEC members, including the United States, have been working on a framework to facilitate cross-border data flows. APEC is an organization of 21 “member economies” that border the Pacific Ocean. Members include the United States, Russia, China, South Korea, Japan, Taiwan, Hong Kong, Australia, Canada, and Mexico.