It’s only March and it has already been a very busy year for privacy professionals. In January, Viviane Reding, Vice President of the European Commission, announced a proposal to reform the European Union’s data protection framework. On this side of the Atlantic, the White House recently released a lengthy paper titled “Consumer Data Privacy in a Networked World” with the intent of finally launching comprehensive federal privacy legislation in the United States. As a result of these proposals, privacy professionals everywhere are anticipating a major overhaul of privacy law which could have a serious impact on the organizations they support. Trevor Hughes, the president and CEO of the International Association of Privacy Professionals (IAPP), the largest privacy association in the world, recently dubbed this time, “the end of the beginning of privacy regulation.” Indeed, since most privacy regulations were introduced in the mid-90’s, they are inadequate in today’s connected world and are falling further and further behind. This white paper summarizes the White House’s proposal and offers some perspective on what this may mean for marketers in the coming years.
WHAT ARE THEY PROPOSING?
The Administration is asking Congress to enact legislation that will apply the Privacy Bill of Rights to all commercial organizations that aren’t already covered by a Federal privacy law. Once enacted, they will initiate what they call a “multi-stakeholder process” to determine the specific regulations that are applicable to various industry groups. To this end, they propose hosting open forums driven by the Dept. of Commerce to discuss and define a framework in coordination with industry groups and other interested parties. Previously codified industry-specific regulations like HIPPA (health care), COPPA (marketing to children) and Gramm-Leach-Bliley (financial services) will be left alone and the intent of new legislation will be to fill in the gaps between these existing laws. The blanket term used for new legislation is “The Consumer Privacy Bill of Rights” and it would govern commercial uses of personal data. According to the paper, the term personal data would: “refer to any data, including aggregations of data, which is linkable to a specific individual. Personal data may include data that is linked to a specific computer or other device.” Accordingly, new regulations would focus on seven broad areas:
Companies should give consumers control over the data they collect, both at the time of collection (to control the scope of data collected) and afterwards (to control how data is being used). The interesting point here is that the choices given to consumers could increase or decrease according to the “scale, scope, and sensitivity” of the data in question. They also suggest that if providing control to consumers is not practical (say, for a third party data handler) then the company could compensate by strengthening compliance in other areas by providing more transparency on their practices. There is also a specific reiteration of the call for an Opt-Out mechanism for online target advertising.
Information detailing data handling and usage practices should be available to consumers at appropriate times so they can make good decisions about data disclosure and not be surprised by a company’s data policies at a later date. The concept of a “scale of transparency” is introduced in that commonly accepted usages of data may not need as much transparency as unusual or unexpected data usage practices. Mobile devices are highlighted as an area that could benefit from novel methods of providing transparency, given that the standard privacy notice does not work well on a small screen. Third party companies that process but do not directly collect data are encouraged to provide as much information as possible about their collection, use, and retention methods and companies that use third party data processors should clearly indicate who processes data for them and for what purposes. The idea seems to be that if data collectors and third party data processors work together to provide information, then consumers will be better able to piece together what is happening with their data.
Respect for Context
Data should be used in a way that is consistent with a company’s relationship with the consumer and makes sense given the original context of data disclosure. This one is a little nebulous, but the intent is to discourage companies from collecting data under one pretense and then using it for another without obtaining consent from the consumer. For example, if contact information is collected as part of an online retail transaction, that information shouldn’t be used to market un-related products to the consumer because marketing wasn’t a part of the original context of an online purchase. If a company does intend to use data outside of the original context of collection, they should be highly transparent about their intentions so consumers can make an informed choice before providing their data.
Not much guidance is actually given here, just the admonition that companies should decide what is most appropriate given the nature of data collected and the context of its usage. Again, the implication is that a sliding scale could be implemented with less important information reasonably receiving less security than highly sensitive information. This is an area where industry groups would be well served to create a set of industry best practices.
Access and Accuracy
Consumers should be able to access, review, and correct the information they provide to companies as needed. This is a common component of privacy frameworks and there isn’t much new here except that the administration advocates that companies provide access online whenever possible as the easiest method of giving consumers access to their data. They also explicitly call out that they do not intend to suppress anyone’s first amendment right to free speech as part of maintaining “accuracy” of information online, since this principle is concerned with information that a consumer supplies to someone else and not necessarily information that was written about them.
This is intended to prohibit the broad-based collection of information that is not necessary given the context of the data collection. This is a common thread among privacy frameworks, namely: “collect only what you need and destroy it when you’re done.” Most online services that involve data collection do indeed have a limited context, so it shouldn’t be difficult to identify what data is actually necessary. However, some services use broad-based data collection inherently and thus don’t exist in a limited context. Such services would be required to adhere closely to the principle of Transparency to compensate for their lack of focused data collection.
Companies should be held accountable to an established authority. In addition to this, they should also adopt internal accountability practices including internal audits and the onboarding of privacy professionals such as a Chief Privacy Officer. This topic is interesting in that the Administration’s guidance downplays the role of enforcement authorities and encourages proactive steps on behalf of companies.
WHO WILL OVERSEE AND ENFORCE THIS?
The Federal Trade Commission would be tapped to enforce any privacy legislation that is adopted. Under the existing privacy framework, the FTC can apply enforcement actions under the auspices of “unfair or deceptive trade practices” when organizations don’t adhere to their own (voluntary) privacy policies. In addition, the FTC currently has the authority to bring cases against companies who don’t provide reasonable security measures to protect consumer data. Under the White House proposal, the FTC will continue to hold the same enforcement authority. However, that authority would be extended to cover enforcement of industry privacy standards to which companies voluntarily agree to adhere and would be backed up by an overarching legal obligation of commercial organizations to adhere to the Privacy Bill of Rights. That being said, the White House is hoping that industry groups who develop their own set of standards, (in conjunction with the FTC and the Department of Commerce) will be the first line of defense in enforcing those standards, effectively nipping some errant practices in the bud. By encouraging industry groups, academics, and other interested parties to form partnerships to draft industry-specific guidelines which companies can adopt and adhere to, the White House is attempting to both mitigate the “us vs. them” mentality of Government vs. Industry by encouraging cooperation and industry involvement while recognizing that an industry-based approach to guideline creation is more flexible and will allow regulations to keep pace with technological changes. What if a company decides not to voluntarily adhere to its industry’s guidelines? Committing to a code or multiple codes should help organizations mitigate risk by clearly defining the boundaries, and will allow them to provide assurance to their customers that their data is being protected. If an organization does not voluntarily commit to an industry set of regulations, the FTC will still have the authority to pursue violations under the Privacy Bill of Rights but the alleged violator will not have the protection of an industry framework to back them up. From the consumer’s perspective, all of the principles under the Privacy Bill of Rights should ultimately lead to more protection, transparency, and, hopefully, trust. It should not be necessary for them to understand under which industry guidelines the companies they do business with operate, but they will certainly have access to those guidelines should they want it. The important thing is that the FTC will still be the ultimate enforcer of the law, just as they are now.
NOTIFICATION OF DATA BREACH
The Administration supports the creation of federal data breach notification requirements which would replace existing state laws. The Consumer Privacy Bill of Rights would specifically include language creating federal requirements. Federal legislation in this area would be welcomed by all parties involved, and in fact, industry groups have been requesting it for quite some time.
INTERNATIONAL DATA TRANSFERS
The concept of a “multi-stakeholder” process could be extended to the international arena to include industry representatives, regulatory agencies, and other interested parties from several nations or regions. The implication seems to be that the Administration would facilitate this process by bringing the interested parties together, and any framework agreed upon would then be available for companies to adopt. Frameworks would have to explicitly address two things:
Mutual recognition of the existing privacy regulations in each jurisdiction. By including this provision, any company that adopts the framework would implicitly be acknowledging the legitimacy and applicability of each country’s regulations.
A statement guaranteeing enforcement cooperation between the applicable enforcement agencies. By identifying the relevant regulatory body in each country and defining their enforcement powers, the framework could avoid ambiguities about jurisdiction, applicability, and enforcement powers.
As with the US-only industry guidelines, the international privacy frameworks would be available for companies to adopt, but adoption would not be mandatory. If a company did adopt the framework, they would be legally binding themselves to its provisions and subjecting themselves to legal action in multiple jurisdictions if they violated the framework.
WHAT TO EXPECT NEXT
The Administration has laid out a comprehensive view of how consumer privacy could be handled from a federal perspective, but of course the White House cannot pass laws. If the vision presented in Consumer Data Privacy in a Networked World is to become reality, Congress must pass legislation which empowers the Department of Commerce or FTC to initiate the multi-stakeholder processes and drive the formation of guidelines on an industry level. Any federal law would likely be skimpy on details and instead would include a deadline by which the process must be complete. The filling in of details would be left to the various “stakeholders,” guided no doubt by the hand of the FTC. Most interested parties would agree that the time has come for the United States to create comprehensive national privacy laws. Additionally, most parties would probably agree that the proposed multi-stakeholder approach is a good one, in that it encourages input from everyone involved and yet is enforceable by a centralized authority. The main lingering question is: will enough companies voluntarily adopt the guidelines to make them relevant? Currently, the missing piece to the self-regulation puzzle is a lack of consumer involvement. Consumers aren’t really using their buying power as leverage to force companies to adopt better privacy and data handling practices. If a federal privacy law went into effect, consumers would have a better standard to hold companies to and could actually make consistent, informed decisions about the companies they patronize – and this could have a profound effect upon how companies and data handlers conduct their business.
For nearly 20 years, Catalysis has specialized in the digital integration of award-winning marketing campaigns that drive connected, measurable results. Our clients include Microsoft, Moss Adams, Banner Mattress, Thunder Valley Casino, BabyLegs, and WineBid.
The information contained in this publication is general and is for informational purposes only. Catalysis makes no warranties, express or implied, in this material.