White House Releases Framework for Consumer Data Privacy

On February 23, 2012, the White House released Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (the “Framework”). The Framework is meant to improve consumers’ privacy protections without stifling the sort of innovation and economic growth that companies seek via the digital space. At its core, the Framework consists of four overarching elements: (i) the Consumer Privacy Bill of Rights; (ii) multi-stakeholder processes to develop enforceable codes of conduct; (iii) post-development enforcement by the FTC; and (iv) promoting international interoperability. As the Framework cannot itself be used as a basis for holding those who violate its principles accountable — there is no law stating that companies are required to adopt these policies. The developments in the coming months of enforceable codes of conduct and the adoption of such codes by companies will be especially telling of the Framework’s effectiveness.

The Consumer Privacy Bill of Rights

The foundation of the Framework lies in its Bill of Rights, which consists of seven principles the Administration considers to be necessary in the development of enforceable privacy standards:

  1. Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
  2. Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.
  3. Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
  4. Security: Consumers have a right to secure and responsible handling of personal data.
  5. Access and Accuracy: Consumers have a right to access and correct personal data in usable formats in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
  6. Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
  7. Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

The Commerce Department’s NTIA Development of Enforceable Codes of Conduct

The National Telecommunications and Information Administration (NTIA) is in charge of facilitating the second element of the Framework, multi-stakeholder processes to develop enforceable codes of conduct. Its task is to convene stakeholders – including companies, privacy and consumer advocates, technical experts, international partners, and academics – to establish specific practices or codes of conduct that implement the full Consumer Privacy Bill of Rights. NTIA will provide a forum for discussion and essentially mediate consensus-building among stakeholders. Because a code of conduct will not be binding on a company unless and until that company affirmatively commits to follow it, consensus is crucial to the Framework’s effectiveness. NTIA’s corresponding role cannot be understated.

Although participation in the process, and the adoption of any enforceable codes developed through the process, are entirely voluntary, certain incentives may draw in participation. The Administration sees the incentives to be two-fold: (i) companies will build consumer trust by engaging directly with stakeholders during the process; and (ii) in any enforcement action based on conduct covered by a code, the FTC will consider a company’s adherence to a code favorably. The first incentive will gain strength with each additional consumer who chooses to participate in the process. So, when can you begin participating?

On March 5, 2012, NTIA released a notice calling for public comment on substantive consumer data privacy issues that warrant the development of legally enforceable codes of conduct, as well as procedures to foster the development of these codes. Although the comment process outwardly applies to companies or organizations that may choose to be bound by newly developed privacy codes, any person or organization may choose to participate in the process. The public comment process is the first step toward building the all-important consensus that will be needed for any privacy-related code to be complete. Once a code is complete, companies to which the code is relevant may adopt it. A company’s public commitment to adopt and adhere to a code means that such code is enforceable by the FTC in the same ways a company’s privacy policy is.

How to Participate

Persons wishing to participate in the process and submit written comments may do so via email submission to privacyrfc2012@ntia.doc.gov. All comments received are a part of the public record and will generally be posted to http://www.ntia.doc.gov/category/internet-policy-task-force without change. All personal identifying information (for example, name, address, etc.) voluntarily submitted by the commenter, may be publicly accessible. Do not submit Confidential Business Information or otherwise sensitive or protected information. NTIA will accept anonymous comments (enter “N/A” in the required fields if you wish to remain anonymous). Comments are due on or before 5 p.m. Eastern Daylight Savings Time on March 26, 2012. Further instructions on participating can be found here.

This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.