Statutory “Consumer Privacy Bill of Rights”, FTC-reviewed/FTC-approved private codes of conduct highlight Administration’s opening gambit

Hoping to shape the development of national – and possible international – consensus on the privacy protections to which on-line consumers should be entitled, the Obama Administration has issued a report on “Consumer Data Privacy in a Networked World” in which it lays out a “blueprint for privacy in the information age.” A central component of the report is a proposed “Consumer Privacy Bill of Rights”. That “bill of rights” reflects a set of principles which are, at this point, merely aspirational, with no independent legal force. The White House is hoping to change that on at least two fronts.

First, it is calling on Congress to pass laws that would impose the “bill of rights” on commercial sectors not currently subject to federal data privacy laws. And second – presumably because it recognizes that Congressional action is far from a sure thing – the Administration is calling on a wide range of “stakeholders” to develop their own “codes of conduct” effectively implementing the “bill of rights”. The idea is that such codes, once publicly and affirmatively adopted by companies subject to Federal Trade Commission (FTC) regulation, could be legally enforced by the FTC. The stakeholders the White House is targeting include companies, privacy and consumer advocates, “international partners”, state attorneys general, criminal and civil law enforcement representatives and academics.

This approach appears to have the support of major on-line companies such as Google and Yahoo. Some consumer advocates remain wary about the process and concerned that rigorous enforceable protections may not be achieved.

At this point, it’s impossible to reliably predict the chances that the “bill of rights” will ultimately be adopted – whether by Congress or by a significant number of the commercial “stakeholders” identified by the White House. Still, the process of developing broad privacy standards has now been started, and all companies that do business on the Internet should be aware not only of the proposed “rights” (and the burdens that they could impose), but also of the process by which any such “rights” are likely to be developed and implemented.

What Rights? –Just what “rights” are on the table?

The White House’s “bill of rights” is intended to provide a “baseline of clear protections for consumers and greater certainty for companies.” It is based on longstanding, globally recognized, Fair Information Practice Principles (FIPPs), and bears a striking similarity to the European Union’s influential Data Protection Directive. Under the Administration’s proposals, consumers would be entitled to the following, while affected companies would be expected to respond as indicated:

Individual Control – Consumers would get the right to exercise control over what personal data companies collect from them and how they use it. Companies would be expected to enable consumer choice over use of their personal data by providing easy-to-use mechanisms reflecting the “scale, scope and sensitivity” of the data being collected.

Transparency – Consumers: the right to easily understandable and accessible information about privacy and security practices. Companies: provide clear descriptions of what personal data they collect, why they need the data, how they will use it, when they will delete or de-identify it, and whether and for what purposes they will share the data with third parties.

Respect for Context – Consumers: the right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Companies: “heightened measures of Transparency and Individual Choice” would be required if, after collecting data, a company were to decide to use the data for purposes inconsistent with the original context under which it was collected

Security – Consumers: the right to secure and responsible handling of personal data. Companies: assess their data collection and protection practices, and maintain reasonable safeguards to control risks of loss, unauthorized access, and improper disclosure.

Access and Accuracy – Consumers: the right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Companies: use reasonable measures to ensure that they maintain accurate personal data.

Focused Collection – Consumers: the right to reasonable limits on the personal data that companies collect and retain. Companies: collect only as much personal data as they need, consistent with the Respect for Context right.

Accountability – Consumers: the right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. Companies: accountability to enforcement authorities and consumers for adhering to these principles.

These concepts are obviously broad and vague. But that appears to be purposeful, since the “bill of rights” as envisioned by the White House is intended to serve merely as a basic framework for protections in the myriad commercial areas not already subject to more specific federal privacy regulation (e.g., healthcare, financial services, education, telecommunications.)

Implementation – As it stands now, the “bill of rights” is little more than a wish list, a set of desirable goals the Administration would like the commercial world to embrace. Turning the “rights” into enforceable codes of conduct will not be simple. The White House proposes to do that through an “open, transparent, multistakeholder” process. The stakeholders would include “international partners” in the process. The goal there is presumably to assure that any U.S. codes of conduct would qualify for international “safe harbor” standards, thus facilitating international trade for U.S. companies.

The job of soliciting input from all of the stakeholders has been given to the Department of Commerce’s National Telecommunications and Information Administration (NTIA). While Commerce has previously waded into privacy policy, the FTC has as well. The choice of NTIA as the locus of the process may be an effort to encourage on-line industry participants to participate. Also, since the White House appears to contemplate that the FTC would be the agency with primary enforcement authority relative to any codes of conduct that get developed, the Administration may feel it more appropriate to leave the development to a separate agency.

Several consumer groups have already expressed concerns, though, that one or more stakeholders may attempt to impose “unilateral solutions” on consumers. Those groups have proposed their own process principles.

Notwithstanding the involvement of NTIA, or the FTC, in the development phase of any codes of conduct, the Administration sees such codes as being primarily private initiatives that “can provide the flexibility, speed, and decentralization necessary to address Internet policy challenges.” As models, the White House is looking at such non-governmental organizations as the Internet Engineering Task Force, and the Internet Corporation for Assigned Names and Numbers (ICANN) which are responsible for important Internet-related technical standards.

Is This Enforceable?Um, no.   As matters now stand, the components of the Administration’s “bill of rights” are not enforceable. But there are at least two ways in which they might become enforceable, directly or otherwise.

First, as noted above, the White House hopes that the stakeholder discussions it is initiating will lead to the adoption of specific codes of conduct to which companies will publicly commit themselves. Such commitment to compliance could provide the FTC the hook necessary to enable it to bring enforcement actions against companies whose conduct falls short of their commitment to the code they have embraced. (This would be similar to the FTC’s current practice, under its authority to prevent deceptive trade practices, of bringing enforcement actions based on a company’s violation of its own website privacy statements.)  

Along the same lines, private codes of conduct might also serve as a measure of the reasonable standard of conduct applicable to parties engaged in on-line activities involving data collection. For instance, plaintiffs in defamation cases often seek to use the Code of Ethics of the Society of Professional Journalists to establish that a defendant acted negligently because he or she failed to strictly adhere to that Code.  The consumer privacy code of conduct envisioned by the White House could provide a similar yardstick for treatment of personal information collected on-line.

Second, the White House Report urges Congress to pass legislation adopting the proposed “Consumer Privacy Bill of Rights”, but with more specific terms that would be worked out between the White House and Congress during the drafting stage. 

As the White House sees it, that legislation would provide a number of enforcement mechanisms. First, the FTC would be given the authority to (a) review any private codes of conduct that companies might adopt and (b) effectively grant those companies forbearance from enforcement under the statutory provisions provided that the companies commit to adhere, and do in fact adhere, to their private codes.  Such FTC review would be subject to a number of limitations (e.g., require public comment, complete agency review within 180 days, etc.). Importantly, such private codes would have to reflect the “consensus of all participants in the multistakeholder process”.  

The “safe harbor” approach – i.e., forbearance from compliance with a statutory “bill of rights” – would theoretically encourage companies to devise their own codes of conduct, subject to the FTC review process. (While the White House Report does not address the possibility expressly, it appears at least possible that a company that adopts a code not reviewed and approved by the FTC might still also be subject to FTC enforcement for violating that code, under the FTC’s existing Title 5 authority to prevent deceptive trade practices.)

Second, the FTC would be given authority to directly enforce each element of the statutory “bill of rights”. 

So would state attorneys general (at least as long as they coordinate their enforcement actions with the FTC). But the ability of individual states to provide their own separate privacy protections would be limited. In the hope of establishing nationally uniform privacy rules, the White House recommends that state privacy laws be preempted to the extent that they are inconsistent with whatever “bill of rights” Congress may enact. And companies that adopt FTC-approved private codes of conduct would be exempt from enforcement activities based on state privacy laws. The Administration Report does suggest that states could enact their own privacy laws, but only so long as they “not disrupt the broader uniformity the Report seeks in consumer data privacy protections.” State officials are not likely to be happy with the proposed federal preemption of their existing privacy laws.

While it may be politically necessary for the Administration to suggest joint federal/state enforcement of federal privacy requirements, the result could become a confusing and dangerous quagmire for consumers, and negate the regulatory certainty that companies seek.

What’s Next?The process the White House hopes will ultimately lead to enforceable private codes of conduct has started. The NTIA has called for comments on the “substantive consumer data privacy issues that warrant the development of legally enforceable codes of conduct, as well as procedures to foster the development of these codes.” (Comments are due by March 26, 2012.) The NTIA is seeking input on a wide range of threshold issues, including privacy issues associated with mobile apps, cloud computing services, and on-line services targeted to children. The NTIA also asks numerous questions regarding process, including how the term “consensus” should be defined.

With regard to the prospects for legislation, it’s probably best not to hold your breath. While some Senators and Representatives have publicly concurred that legislation to protect on-line consumers is a good idea, let’s not forget that a number of privacy bills have been sitting on the Hill for years already with no action. Given that, a betting man would not stake much on seeing such legislation any time soon.

Of course, it’s impossible to predict what impact, if any, the White House proposal will ultimately have. Time alone will tell.

What we do know is that the Obama Administration has clearly embraced the issue of on-line privacy and is seeking to position itself as a champion of the on-line consumer. In view of recent, highly public, privacy flaps involving a number of the major on-line players (e.g., Apple, Google), that may be a smart move, particularly with a presidential election fast approaching. But note also that the White House proposal constitutes yet another effort by the Administration to try to assert some measure of federal control over Internet-related conduct. Such efforts might ordinarily alienate many on-line companies – as have the FCC’s net neutrality initiatives. But the White House’s proposed approach to privacy protection does include the notion of “private” codes of conduct. That notion arguably gives companies some opportunity to take control of their own fates (if you don’t focus too closely on the “consensus” obligation the White House Report would impose), which might deflect some opposition.

In any case, the White House is trying to set the tone, and possibly establish some preliminary parameters, of the debate about on-line privacy protections. We won’t know whether that effort is going to be successful for some time. Check back here on CommLawBlog – we’ll keep you updated as developments warrant.