FAQ: What’s in the ‘Privacy Bill of Rights?’
By Hayley Tsukayama,
The Obama administration announced what it calls its “Privacy Bill of Rights” Thursday, a long-awaited framework suggesting how companies should protect consumer information online.
What are the rights? The document outlines seven main “rights” that consumers should have, and the administration will work with Congress to enact legislation based on these rights. Notably, there’s no mention of mobile privacy in this document.
— Individual Control: In a nutshell, people should have the right to control their own data. Companies should write clear, easy-to-understand privacy policies, and give consumers a way to limit consent or opt out of data collection that is as easy as opting in.
— Transparency: Companies should be clear about what data they collect, why they need it, how they use it, who they share it with and when they will delete it.
— Respect for Context: This section of the privacy bill of rights points to special treatment for information gathered from children and teens. Essentially, this “right” declares the consumers should be able to expect that any data companies collect will be used in a way consistent with the way it was provided. So, if a company collects information for one purpose, it can’t then decide that it wants to use that data for another purpose.
— Security: Consumers have a right to expect their data will be stored and transmitted securely.
— Access and Accuracy: Consumers should be able to access their own, accurate personal data and be able to easily correct any personal data companies handle.
— Focused Collection: Companies shouldn’t collect more data than they need, and consumers should have the right to say what those limits are, within reason. Companies should also delete any data they don’t need, if they can do so without breaking the law.
— Accountability: Companies should hold their employees responsible for adhering to these rights, and consumers should be able to expect that they do. This measure calls for full audits, when appropriate, and special training for employees.
Who can enforce these? Is this a mandate? These are the White House’s recommendations for the way to proceed on privacy, but they are still voluntary guidelines. The Federal Trade Commission can police companies that agree to follow the guidelines.
“The Administration expects that a company’s public commitment to adhere to a code of conduct will be enforceable under existing FTC authority, just as a company is bound today to follow its privacy commitments,” the White House said in a fact sheet on the proposal.
Will there be a law? The administration has said that it will use this privacy framework as a guide for future comprehensive legislation, and to work with state attorneys general on getting the authority to enforce the bill of rights.
But there are some doubts about whether comprehensive legislation will make it through Congress — particularly in an election year.
There are a handful of privacy bills that have been introduced in this session of Congress, but they have failed to gain much traction.
Sen. John Kerry (D-Mass.), who has worked with Sen. John McCain (R-Ariz.) on a draft for comprehensive legislation for nearly two years, reissued a call to move forward on privacy legislation Thursday.
“Senator McCain and I have been building support for our bipartisan approach for almost two years and I welcome the Administration’s call for a baseline code of conduct wholly consistent with what we’ve been promoting,” he said in a statement. “Now let’s get something done.”
What’s this “do not track” button I’m hearing about? In conjunction with the White House’s announcement Thursday, several of the largest online advertising industry groups said they will implement “do not track” technology in Web browsers. There is no “do not track” provision in the bill of rights; this is a voluntary decision from the industry.
“Do not track” has been around for a while, but they’ve been a mixed bag in the past because while they have let advertisers know that users don’t want to be followed across the Web, not all advertisers had agreed to abide by the request.
The 400 companies in the Digital Advertising Alliance have agreed not to use data from consumers who don’t want to be tracked to customize ads or to use the data for certain purposes such as employment, health care or insurance.
They will, however, still use information from these consumers for market research. The “do not track” button will not apply to all things: Companies will still be able to track, for example, things users do when signed in to services or things they choose to “Like” through Facebook’s plug-ins.