An administration official says that legislation is essential to effective protections in the proposed Consumer Privacy Bill of Rights.
A White House official says that the administration will call on Congress to pass legislation to put the force of law behind a proposed Consumer Privacy Bill of Rights.
The administration unveiled the principles in February with the release of a privacy framework that includes voluntary programs to protect online privacy. Although the focus has been on voluntary collaboration with the private sector, the White House deputy CTO for Internet policy said on April 2 that the Consumer Privacy Bill of Rights should be put into law.
“We think that, in the long run, legislation is essential here,” Daniel J. Weitzner said in a briefing for the Congressional Internet Caucus Advisory Board. “We think it is the right time to do this.”
Weitzner said the provisions already are enforceable under Federal Trade Commission law for those companies that voluntarily adopt them. But he said that putting them into law would improve consumer confidence, provide certainty that would encourage innovation for the companies, and would establish parity with European privacy protections that would enable international information sharing.
The administration’s privacy framework includes a fundamental shift to individual control of personal information, giving persons a say in what information can be gathered in commercial transactions and how it can be used.
The principles outlined in the proposed Consumer Privacy Bill of Rights are:
Individual control: Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.
Transparency: Consumers have a right to easily understandable information about privacy and security practices.
Respect for context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
Security: Consumers have a right to secure and responsible handling of personal data.
Access and accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
Focused collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
“Government has always had a central role in establishing trust in the marketplace,” Weitzner said. “The Internet is no different. We need a strong government role to ensure that consumers are comfortable with new technology.”
Because it is unlikely Congress would enact any such legislation soon, the Commerce Department’s National Telecommunications and Information Administration already is working with corporate and consumer groups to develop a consensus for a voluntary code of conduct based on the framework.
The FTC last month released long-awaited recommendations for online privacy policies calling for greater regulation of data brokers and more choices for consumers, including a Do Not Track option that could stop collection of most data. Chairman Jon Leibowitz said that the commission is working with the NTIA to support the bill of rights with enforcement of existing FTC law, but that the FTC would not propose any new rules.
This level of protection falls short of what the European community requires before it will allow free exchange of personal information between the United States and Europe. Weitzner said that this country shares a common set of principles on privacy with Europe, but that the United States lags in its enforcement.
Online privacy legislation would help establish a global playing field to which U.S. companies would have easier access.
At the heart of the legislation would be a “safe harbor” provision that would allow the FTC to certify that a company’s privacy policies are in line with the provisions of the Consumer Privacy Bill of Rights.
“With this policy we can keep privacy rules up to date and flexible,” without the time-consuming rule-making process of traditional regulatory schemes, Weitzner said.
NEXT STORY: DHS getting a bad rap on cybersecurity?