On February 23rd, the Obama Administration released a report – “Consumer Data Privacy in a Networked World” – that outlines a Consumer Privacy Bill of Rights, among other things. Specifically, the blueprint for privacy laid out in the report applies to personal data, or as we like to call it – identity data (the emphasis is mine):
“The Consumer Privacy Bill of Rights applies to personal data, which means any data, including aggregations of data, which is linkable to a specific individual. Personal data may include data that is linked to a specific computer or other device.”
Having read the report on a plane heading to Barcelona for Mobile World Congress, I must say that I am impressed with it. For one, it didn’t put me to sleep as I had expected. But more importantly, it left me with some excitement and hope.
Excitement because the framework outlined within this paper, when implemented, will have a direct impact on both my professional and personal life. My personal life will be impacted because I’m a consumer, and these rights will serve to protect my interests. It impacts my professional life because I work for a company that is building the technology that will help companies adhere to the principles outlined in the Consumer Privacy Bill of Rights.
Below is a brief summary of the four key elements of the privacy framework detailed in the document:
- A Consumer Privacy Bill of Rights – This is the centerpiece of the framework and will be the basis for any future regulation that might be influenced by this initiative. It’s primarily based on the Fair Information Practice Principals (FIPPs). There are some really good examples of how each of the seven tenets applies to real-world scenarios involving our personal data today. At the heart of most of these tenets is interaction with the consumer. That is, the consumer needs to be included in, consulted on, and/or made privy to transactions involving their personal data. Obviously, this could have major ramifications on the status quo in the existing economy surrounding this data. Not only is this a technology issue as systems will need to be in place for consumers to get involved in the transactions, but it also has the potential to impact existing business models and create new ones.
- Enforceable Codes of Conduct – This is where the rubber will meet the road from a legality standpoint. The Administration is planning to convene multiple forums with stakeholders from the private sector and consumer advocacy groups who are interested in specific market or business contexts to draft enforceable codes of conduct that adhere to the Consumer Privacy Bill of Rights. This provides some much needed flexibility in defining policies that strike a balance between adhering to the principals outlined in the Bill of Rights and respecting the nuanced differences in consumer expectations for privacy in various business contexts. For instance, personal data that is explicitly shared on a social network should be handled differently than data that is indirectly observed from your online medical record. This balancing act will not be easy, and it will inevitably favor one party over the other. But the intent is to provide a set of forums where these policies can be defined in a collaborative, transparent manner.
- FTC Enforcement – This section offered the biggest surprise for me. When I first heard about this report and the Consumer Privacy Bill of Rights, I thought that it sounded great, but that there is no way that any regulation will pass in the current political climate (election year, divided legislative branch, etc.). But after reading the report, I gained a better understanding of how the Federal Trade Commission (FTC) – under the existing FTC Act – is capable of holding companies accountable to codes of conduct related to consumer privacy that they adopt publicly. The following extract from the report sums this up nicely:
“Once a code of conduct is complete, companies to which the code is relevant may choose to adopt it. The Administration expects that a company’s public commitment to adhere to a code of conduct will become enforceable under Section 5 of the FTC Act (15 U.S.C. § 45), just as a company is bound today to follow its privacy statements.32 Enforceability is essential to assuring consumers that companies’ practices match their commitments and thus to strengthening consumer trust.”
This means that even without the passing of laws that provide the FTC with direct enforcement of the Consumer Privacy Bill of Rights, there will be some “teeth” in the area of enforcement.
- Global Interoperability – There is no doubt that the U.S. is lagging behind much of the rest of the industrialized world in our approach to personal data privacy issues. To that end, there is recognition that we cannot go it alone on this. The battle lines between the E.U.’s tough stance on privacy and the U.S. free market approach have already been drawn with much to lose on both sides of this battle. This framework, while currently lacking concrete action, should go a long way in bridging the divide between opposing positions. Fortunately, for both consumers and the businesses that are currently making a fortune on consumers’ personal data, it is not an all-or-nothing proposition. There is a way forward where consumers gain some visibility and control in the exchanges, while at the same time opting to provide additional data because they both see the value in it for them through the increased transparency, and because they trust that the companies leveraging that data will respect their desires.
So, is this a significant step forward for personal data privacy? You betcha!
There is a long road ahead to convene the stakeholders necessary to define the various codes of conduct and gain the critical mass of adoption from companies to turn the tide in the existing erosion of consumer data privacy. However this, along with the privacy-enhancing principals behind the NSTIC initiative, provides hope that we may just end up with a more balanced world where the rights and desires of consumers are respected, while the opportunities for companies to leverage personal data to enhance their products and services is also increased.
If you are at all interested in consumer data privacy, the evolving identity (personal data) economy, or government regulation involving the Internet, then you should read this document. If nothing else, it is worth reading to awaken you to the issues involving the security and privacy of your own personal data. In fact, if this initiative is to be successful, then everyone will need to get involved. Our choices as consumers can be a powerful force in driving the adoption of these principals. The first step is raising awareness. It is my hope that this post will contribute to that cause.