Consumer Privacy Bill of Rights
February 23, 2012 12:49 PM   Subscribe

"The Obama Administration today unveiled a Consumer Privacy Bill of Rights as part of a comprehensive blueprint to protect individual privacy rights and give users more control over how their information is handled." Full 62-page PDF - Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy. "In addition, advertising networks announced that leading Internet companies and online advertising networks are committing to act on Do Not Track technology in most major web browsers to make it easier for users to control online tracking. Companies that represent the delivery of nearly 90 percent of online behavioral advertisements, including Google, Yahoo!, Microsoft, and AOL have agreed to comply when consumers choose to control online tracking. Companies that make this commitment will be subject to FTC enforcement."

CONSUMER PRIVACY BILL OF RIGHTS

The Consumer Privacy Bill of Rights applies to personal data, which means any data, including aggregations of data, that is linkable to a specific individual. Personal data may include data that is linked to a specific computer or other device. The Administration supports Federal legislation that adopts the principles of the Consumer Privacy Bill of Rights. Even without legislation, the Administration will convene multistakeholder processes that use these rights as a template for codes of conduct that are enforceable by the Federal Trade Commission. These elements—the Consumer Privacy Bill of Rights, codes of conduct, and strong enforcement—will increase interoperability between the U.S. consumer data privacy framework and those of our international partners.

INDIVIDUAL CONTROL: Consumers have a right to exercise control over what personal data companies collect from them and how they use it. Companies should provide consumers appropriate control over the personal data that consumers share with others and over how companies collect, use, or disclose personal data. Companies should enable these choices by providing consumers with easily used and accessible mechanisms that reflect the scale, scope, and sensitivity of the personal data that they collect, use, or disclose, as well as the sensitivity of the uses they make of personal data. Companies should offer consumers clear and simple choices, presented at times and in ways that enable consumers to make meaningful decisions about personal data collection, use, and disclosure. Companies should offer consumers means to withdraw or limit consent that are as accessible and easily used as the methods for granting consent in the first place.

TRANSPARENCY: Consumers have a right to easily understandable and accessible information about privacy and security practices. At times and in places that are most useful to enabling consumers to gain a meaningful understanding of privacy risks and the ability to exercise Individual Control, companies should provide clear descriptions of what personal data they collect, why they need the data, how they will use it, when they will delete the data or de-identify it from consumers, and whether and for what purposes they may share personal data with third parties.

RESPECT FOR CONTEXT: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Companies should limit their use and disclosure of personal data to those purposes that are consistent with both the relationship that they have with consumers and the context in which consumers originally disclosed the data, unless required by law to do otherwise. If companies will use or disclose personal data for other purposes, they should provide heightened Transparency and Individual Control by disclosing these other purposes in a manner that is prominent and easily actionable by consumers at the time of data collection. If, subsequent to collection, companies decide to use or disclose personal data for purposes that are inconsistent with the context in which the data was disclosed, they must provide heightened measures of Transparency and Individual Choice. Finally, the age and familiarity with technology of consumers who engage with a company are important elements of context. Companies should fulfill the obligations under this principle in ways that are appropriate for the age and sophistication of consumers. In particular, the principles in the Consumer Privacy Bill of Rights may require greater protections for personal data obtained from children and teenagers than for adults.

SECURITY: Consumers have a right to secure and responsible handling of personal data. Companies should assess the privacy and security risks associated with their personal data practices and maintain reasonable safeguards to control risks such as loss; unauthorized access, use, destruction, or modification; and improper disclosure.

ACCESS AND ACCURACY: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Companies should use reasonable measures to ensure they maintain accurate personal data. Companies also should provide consumers with reasonable access to personal data that they collect or maintain about them, as well as the appropriate means and opportunity to correct inaccurate data or request its deletion or use limitation. Companies that handle personal data should construe this principle in a manner consistent with freedom of expression and freedom of the press. In determining what measures they may use to maintain accuracy and to provide access, correction, deletion, or suppression capabilities to consumers, companies may also consider the scale, scope, and sensitivity of the personal data that they collect or maintain and the likelihood that its use may expose consumers to financial, physical, or other material harm.

FOCUSED COLLECTION: Consumers have a right to reasonable limits on the personal data that companies collect and retain. Companies should collect only as much personal data as they need to accomplish purposes specified under the Respect for Context principle. Companies should securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise.

ACCOUNTABILITY: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. Companies should be accountable to enforcement authorities and consumers for adhering to these principles. Companies also should hold employees responsible for adhering to these principles. To achieve this end, companies should train their employees as appropriate to handle personal data consistently with these principles and regularly evaluate their performance in this regard. Where appropriate, companies should conduct full audits. Companies that disclose personal data to third parties should at a minimum ensure that the recipients are under enforceable contractual obligations to adhere to these principles, unless they are required by law to do otherwise.
posted by cashman (30 comments total) 13 users marked this as a favorite
 
So this sounds pretty awesome. Where exactly does this come in effect? Like what's the jurisdiction of this? Is it something that is just proposed and needs approval? What are the penalties? I saw the FCC is the enforcing agency. Definitely a great step.
posted by Phantomx at 1:03 PM on February 23, 2012




So basically the Obama administration is saying, Do As I Say, Not As I Do?
posted by zarq at 1:04 PM on February 23, 2012 [5 favorites]


It sure would be nice if both political campaigns would treat the data about its contributors and other supporters as safe as this bill purports to do.

From yesterday's "Fresh Air" interview with Joseph Turow, a professor of communication and Associate Dean for Graduate Studies at the University of Pennsylvania's Annenberg School.


(Terry) GROSS: You know, ironically, you've pointed out that politicians are starting to use the same techniques that advertisers are to gather information. What's their purpose in gathering it?

TUROW: Well, politicians want to get votes. And they have begun to realize what consumer products companies realize, that if you get a lot of information about people you can predict how they might act or what they might believe, even to the point of what kind of car do people who might vote Republican have, versus Democrats?

And the more data points you have, the belief is, the more likelihood that you can get on the right side of a person. Even the Obama administration – the Obama campaign - is perceived to be at the forefront of this stuff. If you go to their privacy policy, they take everything. They keep it. They use it. They buy other information about you if they want.

And on the privacy policy it also says that they might share it with political organizations they consider conducive.

GROSS: What information would they be buying?

TUROW: They could buy information about your purchases. They could buy information about whether you have children. They could buy information about what kind of car you have. There are lots of information out there that you might not volunteer on the Obama website, or any other campaign website, that a campaign can get, particularly if they have your name and then attach it to your voting records.

GROSS: So do you think that political campaigns are using cookies to track our movements on the Internet in the same way that advertisers are?

TUROW: They say they are.

GROSS: They say they are.

TUROW: It's exactly what's happening. Yes. And they're using it in increasingly sophisticated ways. So, for example, if you go to the Romney website and look at their privacy policy, they do not say that they buy information. They say they just use cookies that are anonymous.

But it's clear they're also going out there and getting information from other companies to do work for them. And those companies may have particular information about individuals that they then use.

posted by Vibrissae at 1:06 PM on February 23, 2012 [1 favorite]


This is super-dooper snazzy, and may even allow for EU companies to process data in the US again if the details are good.

Next question: what are the penalties for breaking it? Even the full PDF doesn't seem to list them. If it fits into established US regulatory law somehow I'd appreciate guidance on that. I'd like to know that violations are met with more than a tart letter.
posted by jaduncan at 1:08 PM on February 23, 2012


There are no penalties for breaking it, because its not a law. Its just a suggestion, albeit one that the entire executive branch of the federal government has put its stamp on. Congress would have to pass something implementing it, then the Federal Trade Commission would have the authority to enforce it.
posted by Inkoate at 1:19 PM on February 23, 2012


The long PDF suggests (.p27) that enforcement would be via s.5 of the FTC Act:

"The Administration expects that a company’s public commitment to adhere to a code of conduct will become enforceable under Section 5 of the FTC Act (15 U.S.C. § 45), just as a company is bound today to follow its privacy statements.32"

"32. The FTC brings cases based on violations of commitments in its privacy statements under its authority to prevent deceptive acts or practices. In addition, the FTC brings data privacy cases under its unfairness jurisdiction, which will remain an important source of consumer data privacy protection."

On looking at 15 USC § 45, it is apparent that it would be the court that sets an approximate settlement value for violations. The FTC can issue a cease and desist, but this seems problematic with many data handling/third party disclosure issues since one cannot put the genie back into the bottle. I guess the devil will be in the detail here, especially with the voluntary agreements between the web companies and the FTC.

I am not a US lawyer; corrections are welcome from those who are.
posted by jaduncan at 1:19 PM on February 23, 2012


Yes, I did rather mean in a hypothetical future when the law is in force.
posted by jaduncan at 1:20 PM on February 23, 2012


Grr, that'll teach me to post tired. *agreement is in force.
posted by jaduncan at 1:21 PM on February 23, 2012


Next question: what are the penalties for breaking it?

There are no penalties. At present, these are guidelines.
posted by Blazecock Pileon at 1:23 PM on February 23, 2012 [1 favorite]


Still, it will be so much fun watching the Republicans making their usual knee-jerk reaction against THIS piece of "over-regulation".
posted by oneswellfoop at 1:33 PM on February 23, 2012


it will be so much fun watching the Republicans making their usual knee-jerk reaction against THIS piece of "over-regulation".

I think that's the idea.
posted by nangar at 1:52 PM on February 23, 2012 [1 favorite]


Next question: what are the penalties for breaking it?

There are no penalties. At present, these are guidelines.


Putting in place a Consumer Privacy Bill of Rights: The Commerce Department’s National Telecommunications and Information Administration (NTIA) will soon convene Internet companies and consumer advocates to develop enforceable codes of conduct that comply with the Consumer Privacy Bill of Rights, building on strong enforcement by the Federal Trade Commission. The Administration will also work with Congress to enact comprehensive privacy legislation based on the rights outlined here.

There trumpeting the fact that they are about to start negotiations on privacy rights. I'd guess the purpose is so a whole bunch of people write in to them and tell them what they want so they can use it as a club.

So what needs to happen is that we need a follow up post when the negotiations start so we can hammer them all with our opinions on this matter. That would include your Members of Congress (I unfortunately am not allowed a legislative voice in US government).
posted by Ironmouth at 2:07 PM on February 23, 2012


This is super-dooper snazzy, and may even allow for EU companies to process data in the US again if the details are good.

Unlikely. The EU safe harbour laws are much, much stronger than this. Plus, these are just guidelines and are currently unenforcable. Perhaps when they get enacted into law. I imagine that the desire to be EU-compatible is a big driver.

Plus, the EU and pretty much everyone else is reluctant to let sensitive data into the US, or even use US owned companies for computing services, because the USA PATRIOT Act potentially has the effect that the US Government could grab all the data on flimsy pretenses, and never tell the data owner. Enact as much privacy legislation as you like, but the PATRIOT Act will continue to hobble the US computing sector, especially with respect to cloud computing.
posted by His thoughts were red thoughts at 2:24 PM on February 23, 2012 [3 favorites]


The right not to be spied on via warrantless wiretapping either by the government or by companies acting on behalf of the government is suspiciously absent.
posted by Potsy at 2:27 PM on February 23, 2012 [1 favorite]


...may even allow for EU companies to process data in the US again if the details are good.

I doubt it. The privacy concerns of the EU (and Canada) centre on Patriot Act provisions. This does nothing to change that.
posted by bonehead at 2:31 PM on February 23, 2012


A bit of extra context. The EU data protection directive. Relevant sections:
(56) Whereas cross-border flows of personal data are necessary to the expansion of international trade; whereas the protection of individuals guaranteed in the Community by this Directive does not stand in the way of transfers of personal data to third countries which ensure an adequate level of protection; whereas the adequacy of the level of protection afforded by a third country must be assessed in the light of all the circumstances surrounding the transfer operation or set of transfer operations;

(57) Whereas, on the other hand, the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited;

US law has been assessed by the EU as being inadequate. However, US companies may opt for certification under the US-EU Safe Habour process, which proves that they can comply with the EU requirements.
posted by His thoughts were red thoughts at 2:35 PM on February 23, 2012


Last year, I got a peek at the software/databases that a candidate for some county office in rural Virginia was using for his campaign.

The amount of information that they had on each voter was staggering. Like, clearly-should-be-illegal staggering. My credit report has less information than these files did. The staffer who showed it to me said that there were special rules for politicians and campaigns that allowed them to mine and retain that much data. *(I have no idea if this is actually true. He didn't seem like the sharpest knife in the drawer, and was probably breaking a dozen regulations or laws by showing the databases to me)

He didn't find anything wrong with this fact whatsoever.

They even had an algorithm to provide a score as to how likely each voter was to vote, how likely they were to vote for that candidate, and how easily they could be swayed if targeted by the campaign. It was really surprising how much data they they were using on an individual level, especially for such a small and inconsequential campaign. I know that politics is a dirty game, but the aggressive amorality of these local campaign staffers was even more of a turnoff than the usual stuff I see from politics (and I work for congress).
posted by schmod at 2:43 PM on February 23, 2012 [5 favorites]


Meanwhile, up north, the Harper government is doing the exact fucking opposite. Oh, Canada.
posted by oulipian at 2:49 PM on February 23, 2012


The staffer who showed it to me said that there were special rules for politicians and campaigns that allowed them to mine and retain that much data. *(I have no idea if this is actually true. He didn't seem like the sharpest knife in the drawer, and was probably breaking a dozen regulations or laws by showing the databases to me)

It's not uncommon. For example, the Australian Privacy Act 1988 (Cth) includes a provision that exempts 'political acts and practices' from the operation of the Act.

It has been highly criticised by the Australian Law Reform Commission, which recommended that the exemption be removed. There has been no move by the Government to remove it - they haven't even responded to the recommendation, and it has been 4 years since it was made.

Legislators don't often enact legislation that will inconvenience them personally.
posted by His thoughts were red thoughts at 3:14 PM on February 23, 2012 [2 favorites]


Wait, so, AOL is still a thing?
posted by Joey Michaels at 3:30 PM on February 23, 2012


Wait, so, AOL is still a thing?

Oh yeah, my boss loves the shit out of it. kill me
posted by entropicamericana at 3:32 PM on February 23, 2012 [2 favorites]


It's a nice start, but how about some more authoritative language, like in the actual Bill of Rights? "Consumers shall exercise control over what personal data companies collect from them."

Even with the best intentions, this current phrasing sounds like a twisted reading of the Miranda rights. And something about being solely referred to as a "consumer" will always bother me.
posted by Johann Georg Faust at 5:21 PM on February 23, 2012 [2 favorites]


Companies that represent the delivery of nearly 90 percent of online behavioral advertisements, including Google, Yahoo!, Microsoft, and AOL have agreed to comply when consumers choose to control online tracking.

Oh they AGREE? How nice of them! In the EU they don't get a choice.

It's ridiculous.

One thing that's nice about google though is that you can actually see the data they have on you.

You can see your web history and you can use their ad preferences manager to see what kind of information they have stored on you in terms of advertising. The ad preferences are cookie, rather then account based, and in Firefox (my main browser) they don't have any information on me at all. You can edit and remove their inferences using that page, or opt out of tracking entirely (supposedly)
The amount of information that they had on each voter was staggering. Like, clearly-should-be-illegal staggering. My credit report has less information than these files did. The staffer who showed it to me said that there were special rules for politicians and campaigns that allowed them to mine and retain that much data. *(I have no idea if this is actually true. He didn't seem like the sharpest knife in the drawer, and was probably breaking a dozen regulations or laws by showing the databases to me)
I'm not really sure there are many laws regarding what information you can store on people at all, so I'm not really sure politicians would need exemptions in order to operate. They're not selling the information, they use it to do targeted advertisements.

With politics, you have different incentives. If one store is 10% less effective at outreach, maybe they make 10% less money then their rival. But in politics its win or lose, and even a 1% or even 0.01% difference can mean victory or defeat. So obviously they need the best data they can get.

But I find it significantly less creepy. The reason these politicians have this data is so they can figure out what you want so they can give it to you, or at least promise to give it to you.

On the other hand, I tried to stay off those lists after the 2004 election. Before the Iowa caucuses you get absolutely deluged with political calls, lots of robocalls, etc. It's kind of annoying. In '08 I made sure not to sign up for anything lest my number get out there again (they don't seem to re-use data as much, and they don't usually transfer it)

Also I linked this in the other thread but if you have firefox check out better privacy and of course adblock plus
posted by delmoi at 5:52 PM on February 23, 2012 [2 favorites]


Well, all this is just fine and dandy, but what about all the records on all of us from the copies of internet traffic being copied to the Government directly from the taps on the core routers?
posted by mikelieman at 6:24 PM on February 23, 2012 [1 favorite]


A few quick thoughts:

1. What does this have to do with the government's own practices related to your privacy?
A. Nothing. See footnote 1 of the pdf:
This framework is concerned solely with how private-sector entities handle personal data in commercial settings. A separate set of constitutional and statutory protections apply to the government’s access to data that is in the
possession of private parties.


If you're interested in that issue, you should check out some of the discussion in US v. Jones

2. Are there special rules for data collection by political candidates?
A. Yes. There is a different level of protection for "political speech" than there is for commercial speech under the 1st Amendment. It is the reason why political campaigns might still call you even if you're on the Do Not Call List. The government can tell companies not to do so and so, but telling political candidates the same thing could likely be an infringement on political speech in violation of the 1st amendment.

3. What are the penalties for this?
A. Without any implementing legislation, a violation of a company's promise that it will abide by these rules would just be a violation of Section 5 of the FTC Act, for which there are currently no civil penalties.

4. Would consumers be able to sue companies directly under this "Bill of Rights"?
A. Good question. I was wondering that too. See Right #7: "Privacy protection depends on companies being accountable to consumers as well as to agencies that enforce consumer data privacy protections."
posted by buddha9090 at 7:32 PM on February 23, 2012


Last year, I got a peek at the software/databases that a candidate for some county office in rural Virginia was using for his campaign.

I do a lot of political work with databases, creating lists of voters I predicted would vote for us and what overall turnout would be. ElecTrack is a very standard piece of software and likely the software you could have seen. If not, this is what Dema are using from federal races down to city councilmembers.

They collect basic demographic information publicly available. They run a program to predict your race. They have your entire voting history. Not who you voted for, of course, but what elections you voted in. And that can tell you almost everything you need to know about "prime" voters (those most likely to vote). Gauging how liberal or conservative is easy when you look at primary participation. How you feel about issues is easy when there are ballot measures in the record. Algorithms to predict income, religion, or ethnicity are all built off that public information.

Combine that with purchased information from marketing companies and expect a mailer stating "Candidate X wears the same brand of underwear as you."
posted by munchingzombie at 8:04 PM on February 23, 2012


That voter information is not just used for campaigns. On a local level it's not uncommon for your state rep or city councilperson to check your name against the database when you write or call their office. If you vote regularly, and give money to campaigns there's a pretty good chance your letter will make it past the intern and onto the elected official's desk. If your neighbors have good voting records as well, you have a much better chance of getting that pothole fixed and those kids chased off of your lawn.
posted by billyfleetwood at 4:40 AM on February 24, 2012


That voter information is not just used for campaigns. On a local level it's not uncommon for your state rep or city councilperson to check your name against the database when you write or call their office. If you vote regularly, and give money to campaigns there's a pretty good chance your letter will make it past the intern and onto the elected official's desk. If your neighbors have good voting records as well, you have a much better chance of getting that pothole fixed and those kids chased off of your lawn.

It's like a program to further isolate the disengaged and disenfranchised. I'll also note that the effect of it is probably de facto racist.
posted by jaduncan at 9:37 AM on February 24, 2012




« Older "If I Could Fly, You Know That I'd Try"   |   Nicely Timed on Valentine's Day Newer »


This thread has been archived and is closed to new comments