Earlier this year President Obama released the “Consumer Privacy Bill of Rights” as part of the “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” The Consumer Privacy Bill of Rights sets forth the rights and expectations individuals should have with regards to the use of personal data on internet and digital networks. The rights are:
1. Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
2. Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.
3. Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
4. Security: Consumers have a right to secure and responsible handling of personal data.
5. Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
6. Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
7. Accountability: Consumers have a right to have a personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of rights.
In addition to setting forth the Consumer Privacy Bill of Rights, the Framework calls for the National Telecommunications & Information Administration (the “NTIA”) to convene stakeholders to develop codes of conducts which the Federal Trade Commission(the “FTC”) will be able to enforce.
Last week I attended the first of the meetings between stakeholders at the NTIA. Participants represented a wide range of organizations and companies. A show of hands indicated that 25% represented consumer and public interest organizations like the ACLU, CDT et al. The other participants represented corporate and business interests from companies like Facebook and Comcast to developers.
Ostensibly the purpose of the meeting was to begin the process of creating a code of conduct for the protection of privacy of personal data in mobile applications. However, the NTIA decided to focus on just one element of the code, transparency. The first order of business was to go through a directed exercise to identify the issues related to transparency most important to participants. Each attendee was given one minute to speak. Overall the issues highlighted related to consistency of disclosures, context of disclosures, standardizations of processes, conciseness and clarity of disclosures, and timeliness of disclosures.
While I appreciate the facilitated process the NTIA used to guide the conversation during the first meeting, I am unable to provide you any tangible results from the activity. I am hopeful that the stakeholders will have future opportunities to create a valuable code of conduct which the FTC can use as a framework for enforcement. For now, the NTIA has indicated that the next meeting of stakeholders will be in August. In the meantime, I look forward to working with clients and other stakeholders to help craft the code of conduct called for in the “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.”