On February 23, 2012, the White House released its long-awaited consumer data privacy framework that establishes clear consumer privacy "ground rules" intended to govern how commercial entities collect and use consumers' personal information in an evolving technological landscape that includes the Internet and other networked technologies. The framework, entitled Consumer Data Privacy In a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, includes a series of consumer privacy principles that would form the basis for voluntary but enforceable codes of conduct, positions the Federal Trade Commission ("FTC") as the lead enforcer on consumer privacy issues, and encourages greater international cross-border collaboration. The framework builds on the consumer privacy recommendations issued in December 2010 by the Department of Commerce Internet Policy Task Force.
The Administration's framework includes four primary elements:
Adopt a Consumer Privacy Bill of Rights
The framework establishes a Consumer Privacy Bill of Rights ("Bill of Rights") that includes baseline consumer privacy protections that are designed to (1) maintain consumer trust as online businesses continue to adopt and deploy new technologies; and (2) encourage innovation by providing online operators with greater certainty as to acceptable personal data collection and use practices. The Bill of Rights applies to all commercial uses of "personal data," which the framework broadly defines as "any data, including aggregations of data, which is linkable to a specific individual," and includes data that is linked to a specific computer or other device. The Bill of Rights is based on general and adaptable Fair Information Practice Principles ("FIPPs") and includes seven principles that companies must abide by when they collect and use consumers' personal information:
- Individual Control – Provide choice around the collection, use, and disclosure of personal data in a manner that reflects the sensitivity of the data collected and its intended use.
- Transparency – Provide clear, plain language notice that describes how personal data is collected, used, and disclosed to third parties.Respect for Context – Limit the use and disclosure of personal data to only those purposes that are consistent with consumers' expectations.
- Security – Maintain reasonable administrative and technical safeguards to mitigate risks to personal data that include loss, destruction, and unauthorized use or access.
- Access and Accuracy – Ensure that personal information is accurate and provide consumers with reasonable access and the ability to correct the personal data that they maintain.
- Focused Collection – Collect only as much personal data as is needed to accomplish purposes consistent with consumers' expectations.
- Accountability – Employ data management practices that include employee training, regular evaluations of internal data management procedures, and enforceable contractual obligations to ensure proper use and disclosure of data by third parties.
Create Voluntary, Enforceable Privacy Codes of Conduct
The Administration will convene a multi-stakeholder process to develop voluntary, yet legally enforceable, codes of conduct that implement the Bill of Rights. The process, which will be led by the Department of Commerce's National Telecommunications and Information Administration ("NTIA"), will be open to industry, consumer groups, and state and federal government stakeholders. The NTIA, along with support from the FTC, will work with the stakeholder groups to identify markets and industry sectors that involve significant consumer data privacy issues and may be ripe for an enforceable code of conduct.
Strengthen FTC Enforcement Authority
The framework recognizes the FTC as the federal government's leading consumer privacy enforcement authority and it positions the FTC as the primary entity to enforce the Bill of Rights as well as the commitments of companies that voluntarily agree to adopt the codes of conduct.
Encourage Global Interoperable Privacy Frameworks
The framework recognizes the impact of disparate national legal standards on cross-border data flows, and it encourages increased engagement with international partners to increase interoperability in privacy laws. Specifically, the framework supports mutual recognition of different commercial data privacy frameworks, including joint enforcement efforts that are conducted according to publicly-announced policies. The Administration also encourages international stakeholders to identify globally-accepted accountability mechanisms, such as the Asia-Pacific Economic Cooperation's ("APEC") voluntary system of Cross Border Privacy Rules, that can be used to develop international codes of conduct that would simplify compliance burdens faced by multinational organizations.
Within the framework, the Administration urges Congress to pass legislation establishing the Bill of Rights as the legal baseline that governs consumer data privacy in theU.S.; nevertheless, the Administration encourages industry stakeholders to move forward in adopting the principles within the Bill of Rights in the absence of legislation. The Administration's legislative proposal also would permit the FTC and State Attorneys General to directly enforce the Bill of Rights, as well as give the FTC the authority to approve (or reject) codes of conduct developed under the multi-stakeholder approach and grant a safe harbor to companies that follow a code of conduct that the FTC has reviewed and approved. Lastly, the Administration supports the creation of a national personal data breach notification standard that would preempt the existing patchwork of state laws.
Other Privacy Initiatives
Kelley Drye & Warren LLP
Kelley Drye & Warren's Privacy and Information Security practice is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients' customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.
For more information about this advisory, contact:
Dana B. Rosenfeld
John J. Heitmann
Alysa Zeltzer Hutnik