A good bit of fanfare surrounded the Obama Administration’s release of its Consumer Privacy Bill of Rights in late February. The publication reflects the Administration’s efforts to improve online consumer privacy protections while not stifling the growth of the Internet industries.
The document is entitled, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.”
The “Bill of Rights” is supposed to establish a “baseline of clear protections for consumers and greater certainty for companies,” providing for the following:
• Transparency: Consumers have a right to easily understandable information about privacy and security practices.
• Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
• Security: Consumers have a right to secure and responsible handling of personal data.
• Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
• Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
• Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
But in our view, there is not that much here that is new, and the privacy protections that it purports to provide are not as comprehensive as they sound.
The framework is based in part upon the concept that the Federal Trade Commission will have the power to enforce privacy policies established by companies themselves. But that is something that the FTC has already been doing; see here for an example.
It is true that lately, more companies have been signing on to privacy policies with “Do Not Track” features. Through the Digital Advertising Alliance, member companies (including Google, Yahoo, Microsoft and AOL) have agreed to a “Do Not Track” option on their browsers that would let consumers opt out of certain data tracking. But again, that’s something that’s already been in the works. See an example here. And the exceptions to the “Do Not Track” option make it pretty weak.
The “Do Not Track” policies provided for would not apply to search engines or other first-party sites; they would apply only to third-party sites. So when the Administration touts the cooperation of these industry leaders through the Digital Advertising Alliance, it should be understood that the leaders are giving their blessing to restraints on others, not so much on themselves (although Google subsidiaries that are third-party sites, like DoubleClick, would be covered).
Under the “Do Not Track” policy, first-party sites can still collect user data and serve users ads based upon that data. Even third-party sites under the policy can maintain and use consumer data. They are simply restricted in how they can use it: They can use it only for market research and analytics.
Another major exception to the “Bill of Rights” is that it only applies to commercial use of data.
The White House’s publication notes that “Americans value privacy and expect protection from intrusions by both private and governmental actors.” But governmental actors are not subject to this “Bill of Rights.” The statement says in a footnote that it does not cover the government’s access to data in the possession of private parties.
We generally think of a “Bill of Rights” as having universal application. Perhaps the Administration shouldn’t have been so hasty to publish something and instead have waited and taken the time to prepare a statement that would have been more meaningful.