Online privacy talk hits the Hill again this week on Wednesday, when the Senate Commerce Committee discusses the state of online consumer privacy.
Hewlett-Packard’s chief privacy officer, Scott Taylor, said that legislation alone can not keep up with the industry. “With the changes and speed that we’re seeing these new techniques and business models and the ability to combine data, laws and regulations just can’t keep up,” Taylor said. He wants to introduce a global framework that encourages developers to bake in privacy from the first conceptual meeting.
Taylor said that the current system of notifying consumers about their privacy rights is ineffective. He advocated using simpler privacy notices that use universal symbols reminiscent of food nutrition labeling that make it easy for customers to understand where, why and how their data are being collected.
He also envisions creating a network of nonprofit organizations, such as the Better Business Bureau, that would be authorized by governments to give customers a place to bring their privacy concerns if companies are not responsive.
Here are some highlights from a conversation with Taylor.
Q: What could baseline privacy legislation do?
A: I consider legislation in the U.S. critical. Baseline legislation should set forth the expectations, the minimum expectations to create a foundation. On top of that foundation, we can have this voluntary code of conduct or binding co-regulation. Companies that want to be seen as more responsible can self-subscribe to that and become certified. We have a perfect example of how this works in Europe, with in binding corporate rules.
Q: What do you think about the proposed legislation out there right now?
A: We’re supportive of federal legislation, and encouraged by the elements in the Kerry bill.
We’ve worked with all the groups that have put forth legislation in the past four or five years, and have worked with industry groups to provide joint, collaborative feedback. They introduce concepts of accountability, and an accountability framework, which is really nothing more than a set of standards that has substance and if a company or organization subscribes to that, then they’ll create a safe harbor that would be granted if you held yourself to a higher standard.
The concept of privacy by design is also in the Kerry bill, which is really a concept of ensuring that we can drive innovation and that the concepts of privacy are considered. It’s really just a requirement that you think about privacy laws and expectations and the risks when you start conceiving a product.
Q: HP also advocates setting up authorized nonprofit agents to field customer complaints. How would that work?
A: The example in the U.S. that I like to use is the Better Business Bureau trustmarks. Oftentimes with such a large company, customer service can be frustrating. You can get lost in the abyss and can feel like you have nowhere to go. If you can’t get satisfaction from an organization, you have someone else to go to. When we get contacted, it comes to me. And I guarantee you I will find the right person to address the problem.
The concept would be that you would create a global set of certified trust agents acting on behalf of the regulators. Those trust agents, which clearly have to be nonprofit, objective organizations, could potentially work together. The way data flows these days it could be that you have a French national’s data but the issue occurred in Mexico. The concept of where you get the certification really shouldn’t matter because all the trust agents would be working with the same criteria, just as the accountability framework would be the same set of expectations.
Q: What special considerations have to be made for mobile: tablets, app stores and applications?
A: Whether it’s applications or cloud computing or network advertising, the three of them all touch on a common theme, which is an accountability chain. You’re dealing with maybe just one brand or organization, but many different companies. Like any chain, the weakest leak is potentially the problem. One of the benefits of a global set of expectations around accountability is that it’s much easier to describe protections to an individual when you know that all parties have subscribed to the same code of conduct.
Apple is a perfect example. They force a very rigid approach where there’s consistency in the app development community. They’re Apple standards — like a do-not-track within one company. The uniformity that we can create with these baseline frameworks will allow us to create consistency across multiple links in the accountability chain. When it comes to the collection of data I think it comes back to the same set of criteria, having a consistent set of expectations, based on a consistent set of standards that align to laws and regulations.