X

Obama unveils Consumer Privacy Bill of Rights

President promises privacy legislation and says Google, Yahoo, Microsoft, and AOL are committed to working with Do Not Track technology in browsers.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
7 min read

The Obama administration plans to work with Congress to enact legislation to protect peoples' online privacy based on a Consumer Privacy Bill of Rights being unveiled tomorrow.

At the same time, Google, Yahoo, Microsoft, and AOL are committing to work with Do Not Track technology in most major Web browsers so people can stop companies from tracking them as they bounce around the Internet, the administration said in a statement.

The announcement comes as Google, Apple, and other technology companies are being increasingly criticized for not doing enough to protect consumers' privacy rights online. The problem has become particularly acute with the widespread use of mobile devices and apps used on them that keep track of peoples' private communications, physical whereabouts, address books and other sensitive personal information.

The Consumer Privacy Bill of Rights will give Internet users the right to: control what data is collected, how their personal data is used and shared; avoid having information collected in one context and then used for another purpose; have data held securely; and to know who is accountable for the misuse of the data. It applies to personal data, which means any data--including aggregations of data--that is linkable to a specific individual.

The Commerce Department's National Telecommunications and Information Administration will work with Internet companies and consumer advocates to come up with codes of conduct that comply with the new bill of rights. A Federal Trade Commission-approved enforcement "safe harbor," meanwhile, will provide companies with the "flexibility necessary for continuing innovation."

"The president's privacy framework assures that as new Internet services develop privacy rules will keep up with, and not hamper, the pace of innovation," the statement said. "This framework takes advantage of the flexibility of self-regulatory processes but assures that new codes of conduct are guided by a comprehensive, forward-looking set of privacy principles and that all interested parties such as consumer advocates have a voice in the process."

The code of conduct will be enforceable under existing FTC authority, but the administration also will work with Congress to develop legislation that gives the FTC and State Attorneys General specific authority to enforce the Consumer Privacy Bill of Rights, according to the administration's statement.

The administration has been working on the bill of rights for online privacy for two years in consultation with industry, privacy advocates, academics and enforcement agencies. Details are included in a report the government is issuing. The administration has also scheduled a news conference at noon ET.

The statement calls for "strong enforcement," but provides no details, which is not ideal, according to Marc Rotenberg, executive director of the Electronic Privacy Information Center.

"The principles are genuinely good," he told CNET in an e-mail. "The problem is that there is no plan for implementation or enforcement."

Consumer online privacy is a hot topic these days, with complaints that Google and Facebook, among others, compromise the privacy of consumers in order to boost advertising opportunities and revenues. Recently, several lawmakers and consumer advocates filed complaints with the FTC over Google's plan to consolidate its privacy policies and combine data on users from across all of it services and products. On Wednesday, 36 state Attorneys General offices signed a letter asking for a meeting with Google CEO Larry Page to discuss concerns they have that consumers can't opt out of having their information shared between different Google services under the modified privacy plan.Google was also criticized this month for bypassing default privacy settings on Safari and Internet Explorer. Meanwhile, Facebook has taken heat for its frictionless sharing and Timeline features.

Mobile data is of particular concern given how rapidly Web surfers are adopting smartphones and storing so much personal data on them. Yesterday, the California Attorney General's office announced that Google, Apple, Microsoft, Amazon, HP and Research In Motion would require mobile app developers to include privacy policies in their apps. Apple had just last week announced that iOS apps that collect user contacts without permission are violating its guidelines after photo sharing app Path and others were found to be doing that. Last year, U.S. lawmakers questioned Google and Apple over location-based tracking capabilities in mobile devices. And a firestorm erupted late last year over Carrier IQ software found on mobile phones that critics said could be used to track consumers without their consent.

Here are the specific provisions in the Consumer Privacy Bill of Rights:

1. Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it. Companies should provide consumers appropriate control over the personal data that consumers share with others and over how companies collect, use, or disclose personal data. Companies should enable these choices by providing consumers with easily used and accessible mechanisms that reflect the scale, scope, and sensitivity of the personal data that they collect, use, or disclose, as well as the sensitivity of the uses they make of personal data. Companies should offer consumers clear and simple choices, presented at times and in ways that enable consumers to make meaningful decisions about personal data collection, use, and disclosure. Companies should offer consumers means to withdraw or limit consent that are as accessible and easily used as the methods for granting consent in the first place.
2. Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices. At times and in places that are most useful to enabling consumers to gain a meaningful understanding of privacy risks and the ability to exercise Individual Control,companies should provide clear descriptions of what personal data they collect, why they need the data, how they will use it, when they will delete the data or de-identify it from consumers, and whether and for what purposes they may share personal data with third parties.
3. Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Companies should limit their use and disclosure of personal data to those purposes that are consistent with both the relationship that they have with consumers and the context in which consumers originally disclosed the data, unless required by law to do otherwise. If companies will use or disclose personal data for other purposes, they should provide heightened Transparency and Individual Control by disclosing these other purposes in a manner that is prominent and easily actionable by consumers at the time of data collection. If, subsequent to collection, companies decide to use or disclose personal data for purposes that are inconsistent with the context in which the data was disclosed, they must provide heightened measures of Transparency and Individual Choice. Finally, the age and familiarity with technology of consumers who engage with a company are important elements of context. Companies should fulfill the obligations under this principle in ways that are appropriate for the age and sophistication of consumers. In particular, the principles in the Consumer Privacy Bill of Rights may require greater protections for personal data obtained from children and teenagers than for adults.
4. Security: Consumers have a right to secure and responsible handling of personal data. Companies should assess the privacy and security risks associated with their personal data practices and maintain reasonable safeguards to control risks such as loss; unauthorized access, use, destruction, or modification; and improper disclosure.
5. Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Companies should use reasonable measures to ensure they maintain accurate personal data. Companies also should provide consumers with reasonable access to personal data that they collect or maintain about them, as well as the appropriate means and opportunity to correct inaccurate data or request its deletion or use limitation. Companies that handle personal data should construe this principle in a manner consistent with freedom of expression and freedom of the press. In determining what measures they may use to maintain accuracy and to provide access, correction, deletion, or suppression capabilities to consumers, companies may also consider the scale, scope, and sensitivity of the personal data that they collect or maintain and the likelihood that its use may expose consumers to financial, physical, or other material harm.
6. Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain. Companies should collect only as much personal data as they need to accomplish purposes specified under the Respect for Context principle. Companies should securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise.
7. Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. Companies should be accountable to enforcement authorities and consumers for adhering to these principles. Companies also should hold employees responsible for adhering to these principles. To achieve this end, companies should train their employees as appropriate to handle personal data consistently with these principles and regularly evaluate their performance in this regard. Where appropriate, companies should conduct full audits. Companies that disclose personal data to third parties should at a minimum ensure that the recipients are under enforceable contractual obligations to adhere to these principles, unless they are required by law to do otherwise.

Updated Feb. 23 at 11:05 a.m. PT with Attorneys General letter to Google over privacy policy change.