Plan to Protect Privacy in the Internet Age by Adopting a Consumer Privacy Bill of Rights
The Obama Administration unveiled a “Consumer Privacy Bill of Rights” as part of a comprehensive blueprint to protect individual privacy rights and give users more control over how their information is handled. This initiative seeks to protect all Americans from having their information misused by giving users new legal and technical tools to safeguard their privacy. The blueprint will guide efforts to protect privacy and assure continued innovation in the Internet economy by providing flexible implementation mechanisms to ensure privacy rules keep up with ever-changing technologies. As a world leader in the Internet marketplace, the Administration believes the United States has a special responsibility to develop privacy practices that meet global standards and establish effective online consumer protection.
- · Putting in place a Consumer Privacy Bill of Rights: The Commerce Department’s National Telecommunications and Information Administration (NTIA) will soon convene Internet companies and consumer advocates to develop enforceable codes of conduct that comply with the Consumer Privacy Bill of Rights, building on strong enforcement by the Federal Trade Commission. The Administration will also work with Congress to enact comprehensive privacy legislation based on the rights outlined here.
- · Achieving privacy policies for a Global, Open Internet: U.S. companies doing business on the global Internet depend on the free flow of information across borders. The Administration’s plan lays the groundwork for increasing interoperability between the U.S. data privacy framework and those of our trading partners.
- · Industry Action – Down payment on Individual Control principle: In response to calls from the Administration and the Federal Trade Commission (FTC), leading Internet companies and online advertising networks are committing to use Do Not Track technology from the World Wide Web Consortium in most major web browsers to make it easier for users to control online tracking. Companies that represent the delivery of nearly 90 percent of online behavioral advertisements, including Google, Yahoo!, Microsoft, and AOL have made this FTC-enforceable commitment.
President’s Commitment to Protecting Privacy on the Internet
The President will assure strong individual privacy protection in the Internet age with the following actions:
- · Putting in place a Consumer Privacy Bill of Rights: American Internet users should have the right to control personal information about themselves. Based on globally accepted privacy principles originally developed in the United States, the Consumer Privacy Bill of Rights is a comprehensive statement of the rights consumers should expect and the obligations to which companies handling personal data should commit. These rights include the right to control how personal data is used, the right to avoid having information collected in one context and then used for an unrelated purpose, the right to have information held securely, and the right to know who is accountable for the use or misuse of an individual’s personal data.
- · Convening commercial and public interest stakeholders to assure dynamic rules: The Commerce Department’s NTIA will convene stakeholders including industry and privacy advocates to develop enforceable codes of conduct that implement the principles in the Consumer Privacy Bill of Rights for specific industry sectors. The President’s privacy framework assures that as new Internet services develop privacy rules will keep up with, and not hamper, the pace of innovation. This framework takes advantage of the flexibility of self-regulatory processes but assures that new codes of conduct are guided by a comprehensive, forward-looking set of privacy principles and that all interested parties such as consumer advocates have a voice in the process.
- · Strong Enforcement by the Federal Trade Commission: FTC enforcement is critical to ensuring that companies are accountable for adhering to their privacy commitments and that bad actors do not disadvantage responsible companies. The Administration expects that a company’s public commitment to adhere to a code of conduct will be enforceable under existing FTC authority, just as a company is bound today to follow its privacy commitments. In addition, the Administration will work with Congress to develop legislation that provides the FTC and State Attorneys General with specific authority to enforce the Consumer Privacy Bill of Rights.
- · Flexible privacy principles to assure continued innovation: Relying on flexible implementation through enforceable codes of conduct, the Administration’s privacy blueprint will help assure continued growth in the Internet economy, both by building consumer trust and avoiding burden. Online retail sales in the United States total $145 billion annually. The Internet contributed 3.8 percent of U.S. GDP in 2009, and 15 percent of U.S. GDP growth between 2004 and 2009. The Internet contributes $175 billion in direct economic value to the rest of the U.S. economy, including $20 billion in advertising services, $85 billion in online retail transactions, and $70 billion in direct payments to Internet service providers.
- · Enacting comprehensive privacy legislation: The Consumer Privacy Bill of Rights outlines the basic principles the Administration believes should be reflected in a privacy law and will work with Congress to enact these rights. In addition to proposing these clear and actionable rights, the Administration’s privacy report outlines an a way for companies to be confident that they are respecting these rights through an FTC-approved enforcement safe harbor. This approach will protect consumers while providing the certainty and flexibility necessary for continuing innovation.
- · Achieving Global Open Internet privacy policies: U.S. companies doing business on the global Internet depend on the free flow of information across borders. The Administration’s plan lays the groundwork for increasing interoperability between the U.S. data privacy framework and those of our trading partners. The plan emphasizes mutual recognition of privacy frameworks, an international role for codes of conduct, and enforcement cooperation. These approaches will provide consistent protections for consumers, reduce compliance costs for companies, guide U.S. efforts to clarify data protections globally, and ensure the flexibility that is critical to innovation in the commercial world.
Building on Progress
The President’s initiatives for Internet privacy build on successful, transparent engagement with privacy stakeholders in the commercial and advocacy communities, coordinated by a privacy subcommittee of the National Science and Technology Council with cross-Administration participation.
- · Demonstrating global leadership: In May 2011, the President released his International Strategy for Cyberspace, which has influenced new international agreements, such as the Organization for Economic Cooperation and Development’s (OECD) Internet Policymaking Principles.
- · Nominating a Privacy and Civil Liberties Oversight Board: The President has nominated a full slate of members of the independent privacy body that will provide guidance and oversight of government use of personal information in the counter-terrorism and law enforcement context.
CONSUMER PRIVACY BILL OF RIGHTS
The Consumer Privacy Bill of Rights applies to personal data, which means any data, including aggregations of data, that is linkable to a specific individual. Personal data may include data that is linked to a specific computer or other device. The Administration supports Federal legislation that adopts the principles of the Consumer Privacy Bill of Rights. Even without legislation, the Administration will convene multistakeholder processes that use these rights as a template for codes of conduct that are enforceable by the Federal Trade Commission. These elements—the Consumer Privacy Bill of Rights, codes of conduct, and strong enforcement—will increase interoperability between the U.S. consumer data privacy framework and those of our international partners.
- Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it. Companies should provide consumers appropriate control over the personal data that consumers share with others and over how companies collect, use, or disclose personal data. Companies should enable these choices by providing consumers with easily used and accessible mechanisms that reflect the scale, scope, and sensitivity of the personal data that they collect, use, or disclose, as well as the sensitivity of the uses they make of personal data. Companies should offer consumers clear and simple choices, presented at times and in ways that enable consumers to make meaningful decisions about personal data collection, use, and disclosure. Companies should offer consumers means to withdraw or limit consent that are as accessible and easily used as the methods for granting consent in the first place.
- Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices. At times and in places that are most useful to enabling consumers to gain a meaningful understanding of privacy risks and the ability to exercise Individual Control, companies should provide clear descriptions of what personal data they collect, why they need the data, how they will use it, when they will delete the data or de-identify it from consumers, and whether and for what purposes they may share personal data with third parties.
- Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Companies should limit their use and disclosure of personal data to those purposes that are consistent with both the relationship that they have with consumers and the context in which consumers originally disclosed the data, unless required by law to do otherwise. If companies will use or disclose personal data for other purposes, they should provide heightened Transparency and Individual Control by disclosing these other purposes in a manner that is prominent and easily actionable by consumers at the time of data collection. If, subsequent to collection, companies decide to use or disclose personal data for purposes that are inconsistent with the context in which the data was disclosed, they must provide heightened measures of Transparency and Individual Choice. Finally, the age and familiarity with technology of consumers who engage with a company are important elements of context. Companies should fulfill the obligations under this principle in ways that are appropriate for the age and sophistication of consumers. In particular, the principles in the Consumer Privacy Bill of Rights may require greater protections for personal data obtained from children and teenagers than for adults.
- Security: Consumers have a right to secure and responsible handling of personal data. Companies should assess the privacy and security risks associated with their personal data practices and maintain reasonable safeguards to control risks such as loss; unauthorized access, use, destruction, or modification; and improper disclosure.
- Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Companies should use reasonable measures to ensure they maintain accurate personal data. Companies also should provide consumers with reasonable access to personal data that they collect or maintain about them, as well as the appropriate means and opportunity to correct inaccurate data or request its deletion or use limitation. Companies that handle personal data should construe this principle in a manner consistent with freedom of expression and freedom of the press. In determining what measures they may use to maintain accuracy and to provide access, correction, deletion, or suppression capabilities to consumers, companies may also consider the scale, scope, and sensitivity of the personal data that they collect or maintain and the likelihood that its use may expose consumers to financial, physical, or other material harm.
- Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain. Companies should collect only as much personal data as they need to accomplish purposes specified under the Respect for Context principle. Companies should securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise.
- Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. Companies should be accountable to enforcement authorities and consumers for adhering to these principles. Companies also should hold employees responsible for adhering to these principles. To achieve this end, companies should train their employees as appropriate to handle personal data consistently with these principles and regularly evaluate their performance in this regard. Where appropriate, companies should conduct full audits. Companies that disclose personal data to third parties should at a minimum ensure that the recipients are under enforceable contractual obligations to adhere to these principles, unless they are required by law to do otherwise.