President Obama Unveils New Consumer Privacy Initiative: The Consumer Privacy Bill of Rights

President Obama yesterday unveiled his new consumer privacy initiative, as was announced on the White House website.  To view the full text of the initiative, click here.

The purpose of the initiative is to urge Congress to adopt a Consumer Privacy Bill of Rights, which codifies the following:

  1. Individual Control: Companies should give consumers control over the personal data that they share and how companies collect, use, or disclose that data.  They should be given clear and simple choices that enable them to make meaningful decisions about data collection, use and disclosure.  Companies should give consumers the opportunity to limit or withdraw consent that are as easy as the methods for granting initial consent.
  2. Transparency: Consumers have the right to easily understandable and accessible information about companies’ privacy and security practices.  Companies should provide clear descriptions of what data they collect, why they need the data, what they will do with the data, when they will delete or de-identify it from customers, and whether and for what purposes they may share the data with third parties.
  3. Respect for Context: Consumers have the right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context that consumers provide the data.  Important considerations for context are the age and sophistication of customers.  Children and teenages should have greater protections than adults.
  4. Security: Consumers have a right to secure and responsible handling of personal data.  Companies should maintain reasonable safeguards to control risks such as loss, unauthorized access, use, destruction, modification, and improper disclosure.
  5. Access and Accuracy:  Consumers have a right to access and correct personal data in usable formats in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
  6. Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.  Companies should collect only the personal data they need to accomplish purposes specified under the context, and they should dispose or de-identify personal data once they no longer need it.
  7. Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to ensure they are adhering to the Consumer Privacy Bill of Rights.  Companies should be accountable to enforcement authorities and to consumers and companies should hold employees responsible for adhering to these principles.  Where appropriate, companies should conduct full audits.  If companies disclose data to third parties, they should ensure at a minimum that the recipients are under contractual obligations to adhere to these principles.

The initiative also asserts that the legislation should provide the FTC and State Attorneys General with the specific authority to enforce the Consumer Privacy Bill of Rights.

My initial reaction to the President’s announcement is mixed.  As a consumer of the Internet who spends 95% of my day online, I am sick and tired of getting tracked all over the Internet.  I find it very annoying to have advertisements pop up for somewhere I have shopped or thought about shopping online, and as soon as another advertisement pops up, I inevitably check all my computer settings and delete cookies and do what I can to stop being tracked.  However, it seems as though nothing works–or at least nothing works for long.  So, I agree that all this Internet tracking is overly intrusive and an annoyance.

At the same time, as an attorney in the Internet and Software space, I am strongly concerned by the fact that the President is proposing more government regulation over the Internet and more enforcement authority over the Internet.  I agree with many of my legal counterparts who believe that the intrusion of more government regulation over the Internet is a hornet’s nest: the Internet has no borders, so if the United States government is allowed to police the Internet to a greater extent than it is currently doing, why shouldn’t other governments be allowed to do the same?  And where do you draw the line?  Philosophically, I think there is a very good argument that the federal government should not be empowered with the ability to step up its regulatory and enforcement authority over the Internet.

Putting aside my general concern over the federal government increasing its regulatory and enforcement powers in the Internet space, my next concern is that we may be imposing a HIPAA like regime over all businesses and not just the ones that handle personal health information.  Is that really a good idea?  Moreover, my understanding is that as a result of The Affordable Care Act, the government is now trying to coerce companies to turn over HIPAA information to the Department of Health and Human Services.   If this is in fact happening, what is to stop the government from doing the same thing with other personal information once they have further regulatory authority?  It’s bad enough that I’m being tracked by businesses all over the Internet, but the idea that Uncle Sam might be doing it is even worse.

And, then there is the concern that this initiative would be duplicating existing laws.  We already have a law to protect children’s personal information on the Internet: the Children’s Online Privacy Protection Act (“COPPA”).  We also have state privacy legislation that presumably this law would supersede.

Finally, as a lawyer for software and Internet companies, you have to be concerned about how this new privacy initiative will impact their existing business models.  Many of my clients rely on the collection of this personal information to drive their revenues, as the websites rely on advertising and the sharing of data to make money.  Will this new initiative have the ultimate effect of putting some Internet and software companies out of business?

Of course, at the moment, these are just my initial reactions to the President’s announcement.  His initiative is merely a proposal to demonstrate to consumers who are likely voters that he is looking out for their well-being in an election year.  Indeed, the initiative does  not even rise to the level of a bill being introduced to Congress.  Moreover,  I would argue that the initiative contains largely “feel-good” language without any real teeth, so for now, my concerns about what happens next are simply speculation on my part about what Congress could do with the initiative, or alternatively,  what the Federal Trade Commission might do on its own accord without any legislation being  passed in Congress.

Still, as much as I personally dislike being tracked all over the Internet, I am troubled by the signals that the President is sending us through his announcement and concerned that expanding consumer privacy protection powers is just the first step to a further expansion of U.S. government regulatory powers over a global Internet.  While at a personal level I would like to draw the proverbial line in the sand on Internet tracking, I worry about what the impact of actually allowing the federal government to draw a line in the sand for us will be on the further development of the Internet.  For those of you who brush off this question, you should remember that the Internet does not have physical borders.  So, where exactly do we draw the line between the U.S. government’s regulation of the Internet and another government’s regulation of the Internet?  I think we need to stop to consider these questions very carefully before we start contemplating the further  expansion of federal powers over the Internet–even if those powers may be directed at reigning in a business practice that many of us find intrusive and annoying.