Obama Sets Out Privacy Framework; FTC and DAA Preview Privacy Priorities

 

The White House Report.

On February 23, 2012, the White House released a report entitled Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, setting forth the Obama Administration's blueprint for strengthening online privacy.  The centerpiece of the Report is a proposed "Consumer Privacy Bill of Rights" designed to give consumers greater control over how their personal data is used on the Internet.             

The Privacy Bill of Rights lays out seven core principles that online users should reasonably expect from every company doing business online:  (1) Individual Control over what personal data companies collect from them and how they use it; (2) Transparency in the form of easily understandable and accessible information about the company's privacy and security practices; (3) Respect for Context such that personal data is collected, used and disclosed in ways that are consistent with the context in which consumers provide the data; (4) Security that guarantees secure and responsible handling of personal data; (5) Access and Accuracy to request, receive and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate; (6) Focused Collection that reasonably limits the personal data that companies collect and retain; and (7) Accountability on the part of companies in the form of appropriate policies and practices that ensure adherence to the Consumer Privacy Bill of Rights.

Federal Trade Commission (FTC).

The White House Report reaffirms the FTC's central role in enforcing online privacy in the U.S. and urges Congress to give the FTC and state attorneys general (in consultation with the FTC) direct authority to enforce the Privacy Bill of Rights.  In addition, the FTC would be authorized to design a "safe harbor" for companies that comply with a code of conduct that has been reviewed and approved by the FTC.

On the heels of the White House Report, the FTC released its annual list of top consumer complaints on February 28.  "Identify theft" complaints topped the list with 15 percent of the tracked complaints.  Other major complaint categories included "prizes, sweepstakes, and lotteries" (6 percent), "banks and lenders"(5 percent), "internet services" (5 percent) and "telephone and mobile services" (4 percent).  Given the explosion of online business models that monetize the use of consumer data (e.g., online advertising), and the rapid growth in data-hacking and breach incidents, the complaint survey foreshadows some of the agency's overall data privacy priorities in the online space. 

The FTC also recently issued a staff report describing the results of a survey of mobile apps for children, which concluded that neither the app stores nor the app developers provided sufficient disclosures to allow parents to determine what data is being collected from their children, how it is being shared or who will have access to it—issues governed by the Children's Online Privacy Protection Act (COPPA), which carries potentially stiff monetary penalties for non-compliance.

Industry Reaction.

Key industry players are responding to these government developments.  In particular, the Digital Advertising Alliance (DAA) recently announced that its 400+ member companies—including Google—will develop "Do Not Track" technology for web browsers.  A "Do Not Track" button would enable consumers to opt out of having companies use data about their web-browsing behavior to customize ads or for employment, credit, health-care or insurance purposes; however, companies would still be able to use the data for market research and product development.  The DAA committed to adopt and implement the "Do Not Track" system by the end of 2012 and the FTC has indicated its intent to enforce compliance with the system under Section 5 of the FTC Act, which broadly prohibits "unfair" and "deceptive" practices.  If successful, the "Do Not Track" system could be a significant step toward greater user control, transparency and security of personal data collected online.

Given the renewed focus on privacy protection matters at the highest levels of the Administration, Federal Trade Commission and Industry, companies doing business online are well advised to take a hard look at their internal data management procedures, privacy policies and terms of use, and third-party data-processing vendors.  Identifying potential vulnerabilities early on can help to mitigate unwanted disruption and expenses down the road.