- May 7, 2012
- Posted by: Seth Heyman
- Categories: Internet Law, Marketing & Advertising Law, Regulatory Compliance
The Obama administration’s proposal for a Consumer Privacy Bill of Rights (“CPBR”), which was released as part of its white paper, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” is intended to give users more control over how their personal information is used in commercial transactions.
The CPBR is directed at those companies who develop mobile or online apps capable of collecting personally identifiable information (PII), such as device identification numbers, email addresses, location, personal contacts, texts, calendar entries and photos.
The CPBR contains seven core principles relating to all commercial uses of PII, defined as any data, including aggregations of data, that can be linked to a specific individual or specific device. As an example, the CPBR provides that “an identifier on a smartphone or family computer that is used to build a usage profile is personal data.”
The CPBR adopts seven general principles as a guide for future rule-making and legislation. These principles are summarized below:
1. Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it. When companies collect personal data from consumers, they should present choices to the consumer about data sharing, collection, use, and disclosure that are appropriate for the scale, scope, and sensitivity of personal data in question,” including the ability to withdraw or to limit consent to share and collect such data.
2. Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices. Mobile apps, which are accessed on mobile devices, will need to present mobile consumers with the most relevant information about what personal data is shared, used and collected in a way that takes into account the small screens and privacy risks that are specific to mobile devices.
3. Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. If companies will use or disclose personal data for purposes other than those that are consistent with their relationship with the consumer or for which the information was originally disclosed, then they should inform consumers and get their consent before the personal data is collected or before the company seeks to use already-collected data for different purposes.
4. Security: Consumers have a right to secure and responsible handling of personal data. Companies that collect and keep personal data are required to keep such data secure. For example, data should be encrypted when moving data between a mobile phone and server.
5. Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Not only should companies that handle personal data ensure that the consumer data that they maintain is current and accurate, but they should give consumers reasonable access to the data collected about them and the ability and opportunity to correct inaccurate data or request its deletion or limitation of use.
6. Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain. Companies should only collect personal data that they need in order to accomplish the specific purpose for which the data was originally collected. App developers should take into account data and features unique to mobile devices, such as location data and the contents and metadata from phone calls and text messages, and limit access to only the data that is relevant for the app’s intended functionality.
7. Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. Companies should train employees to handle personal data appropriately; evaluate and, if appropriate, audit companies’ treatment of personal data; and enter into contracts or other legally enforceable instruments requiring third parties to handle personal data appropriately.
For now, the CPBR is a framework and does not include enforceable rules, but the Obama administration is pursuing implementation through legislation and a multi-stakeholder rule-making process and is seeking enforcement through the Federal Trade Commission. The FTC is currently seeking input from interested parties, including consumers, on how to develop rules to implement the CPBR, and is holding a public forum on the matter on May 30, 2012.