New Privacy Framework Poses Challenges for Digital Stakeholders

In an attempt to provide some guidance and perhaps some unifying or overarching themes, the Obama administration recently released its long-awaited white paper proposing a new framework for online-privacy protections. The report, entitled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” announces four guiding pillars that the administration hopes will serve as a template for future federal legislation and regulatory enforcement: (1) a Consumer Privacy Bill of Rights; (2) a multi-stakeholder process led by the Department of Commerce to design procedures for applying the bill of rights in particular contexts; (3) effective enforcement by the Federal Trade Commission (FTC); and (4) commitment to increase interoperability with the privacy frameworks of the United States’ international trading partners. (The United States is often perceived as behind the curve on consumer-privacy issues.)

Goals of Online-Privacy Framework
The administration’s proposed framework has two primary goals: effectively monitoring commercial uses of personal data, and ensuring that companies disclose personal data gathered for marketing purposes that are reasonably consistent with the context in which the data is provided. The white paper defines personal data broadly to refer “to any data, including aggregations of data, which is linkable to a specific individual,” and may include “data that is linked to a specific computer or other device.” This broad definition, according to the administration, is vital because it “provides the flexibility that is necessary to capture the many kinds of data about consumers that commercial entities collect, use, and disclose.”

However, this expansive definition of personal data also means that advertising and technology companies will likely have to restrict the ways in which they use data collected from consumers’ online activities. For instance, under the proposed framework, third-party websites, which are networks that collect and use data to serve advertising tailored to the user, could be limited to using data solely for market-research and analytics purposes. These sites have historically escaped stringent regulation and have drawn the ire of some privacy advocates for their ability to create detailed user profiles and to serve ads to users based upon the users’ online behavior and profiles. Those same privacy advocates contend that such third-party sites collect data without the user’s awareness—either as a result of confusing, “legalistic” privacy policies or the complete lack of any disclosure whatsoever—that they are doing so. The administration intends to create enhanced oversight and enforcement mechanisms to address consumer concerns about what data is being collected and how that data is being used by search engines, individual websites, and online advertisers.

Consumer Privacy Bill of Rights
The centerpiece of the framework is unquestionably the Consumer Privacy Bill of Rights, which contains seven principles designed to provide consumers greater control over both the types of personal data collected as well as how such information is used, shared, transferred, or sold.

• Individual Control: a right to exercise control over personal data collected
• Transparency: a right to understandable and accessible information about data privacy and security practices
• Respect for Context: a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which it is provided
• Security: a right to secure and responsible handling of personal data
• Access and Accuracy: a right to access and to correct personal data in usable formats, and in a manner that is appropriate to the sensitivity of the data
• Focused Collection: a right to reasonable limits on the personal data collected and shared
• Accountability: a right to have personal data handled by only those who will adhere to the principles set forth in the Consumer Privacy Bill of Rights

Administration Wants Companies to Take Framework Seriously
Although the white paper does not have the force of law, the administration hopes that it will serve as a “wakeup call” to companies that have seemingly resisted changing their data-collection or disclosure practices despite previous calls for reform by consumer-protection and privacy advocates. Already, companies have listened.

Within days of its release, prominent online networks accounting for the delivery of nearly 90 percent of online behavioral advertisements—including heavyweights Google, AOL, Yahoo, and Microsoft—agreed to implement a form of Do Not Track technology, subject to enforcement by the FTC. Just hours after the white paper’s release, Google announced it would implement a Do Not Track option on its browser, Chrome, which would enable users to inform sites that they do not want their browsing activities monitored or tracked. Adoption of the Do Not Track option was a startling reversal by Google, and put it in league with other prominent browsers that have already adopted the measure, including Internet Explorer, Mozilla Firefox, and Apple’s Safari. From a consumer/privacy standpoint, one concern is that such data will be collected by websites and other third-party sites for the purpose of serving targeted ads. Another area of concern is companies that can track users’ online behavior and create unique “user profiles” based upon aggregations of such behavioral data. These profiles can be shared with marketing companies that serve targeted ads as well as other direct-marketing communications based upon consumers’ perceived preferences. While the implementation of privacy-protective measures such as Do Not Track may be comforting for consumers and privacy advocates, this trend could present potentially severe problems for companies in the extremely lucrative online-advertising industry. According to the Interactive Advertising Bureau, digital-advertising revenues in the United States were $7.88 billion for the third quarter of 2011, which was 22 percent higher than the same period in 2010. Widespread implementation of Do Not Track could drastically decrease the amount of data collected by online-ad companies such as DoubleClick (owned by Google) and Advertising.com (owned by AOL).

No Firm Enforcement Mechanism in Place
There is currently no mechanism in place to police compliance with the Consumer Privacy Bill of Rights. The administration hopes that the white paper will serve as a model for federal legislation that will codify the bill of rights. Most importantly, the administration wants Congress to provide the FTC and state attorneys general power to investigate violations of any resultant legislation. However, given the gridlock in Congress and the focus on electoral politics, it is highly doubtful that Congress will enact any comprehensive legislation prior to year’s end.

The absence of federal legislation does not mean that the government is powerless in its ability to develop other means of enforcement of the Consumer Privacy Bill of Rights. The second pillar of the white paper states that in the coming months, the Department of Commerce’s National Telecommunications and Information Administration (NTIA) will work with other federal agencies to encourage “individual companies, industry groups, privacy advocates, consumer groups, crime victims, academics, international partners, State Attorneys General, Federal civil and criminal law enforcement representatives, and other relevant groups to participate in multi-stakeholder processes to develop codes of conduct” that implement the bill of rights’ seven principles. Any codes of conduct ultimately agreed to would be legally enforceable by the FTC, just as it may presently investigate a company regarding alleged violations of its own privacy policy. Companies cannot be coerced into accepting a code of conduct modeled on the bill of rights, however, and the ultimate success (or failure) of these “multi-stakeholder processes” remains to be seen.

While the White House’s desire for concerted action to increase consumer confidence is admirable, there is little incentive to agree to voluntary codes of conduct as they would create objective standards for which perceived failings could be addressed in an FTC action. The Consumer Privacy Bill of Rights is designed to create more certainty for digital companies (in lieu of the current patchwork of federal and state-by-state laws), but there can be no doubt that a new privacy regime modeled entirely on the consumer-focused bill of rights would, in all likelihood, restrict companies’ online commercial opportunities and possibly lead to a flood of class-action lawsuits.

What’s Next?
For now, companies should be aware that the white paper has been proposed as a general framework for federal legislation in the future. The Obama administration has not specified when the Department of Commerce will begin convening the proposed multi-stakeholder processes to develop new codes of conduct for digital companies. We will continue to monitor any developments in this rapidly developing area.

Keywords: litigation, consumer rights litigation, online privacy, Do Not Track, Consumer Privacy Bill of Rights

David S. Almeida is a partner and David M. Poell is an associate with Sedgwick LLC in Chicago, IL.

^{Copyright © 2012, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).}