White House Unveils Commercial Online Privacy Framework

Kelley Drye Client Advisory

On February 23, 2012, the White House released its long-awaited consumer data privacy framework that establishes clear consumer privacy ground rules” intended to govern how commercial entities collect and use consumers’ personal information in an evolving technological landscape that includes the Internet and other networked technologies.  The framework, entitled Consumer Data Privacy In a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, includes a series of consumer privacy principles that would form the basis for voluntary but enforceable codes of conduct, positions the Federal Trade Commission (“FTC”) as the lead enforcer on consumer privacy issues, and encourages greater international cross-border collaboration.  The framework builds on the consumer privacy recommendations issued in December 2010 by the Department of Commerce Internet Policy Task Force.

The Administration’s framework includes four primary elements:

Adopt a Consumer Privacy Bill of Rights

The framework establishes a Consumer Privacy Bill of Rights (“Bill of Rights”) that includes baseline consumer privacy protections that are designed to (1) maintain consumer trust as online businesses continue to adopt and deploy new technologies; and (2) encourage innovation by providing online operators with greater certainty as to acceptable personal data collection and use practices.  The Bill of Rights applies to all commercial uses of personal data,” which the framework broadly defines as any data, including aggregations of data, which is linkable to a specific individual,” and includes data that is linked to a specific computer or other device.  The Bill of Rights is based on general and adaptable Fair Information Practice Principles (“FIPPs”) and includes seven principles that companies must abide by when they collect and use consumers’ personal information:
  • Individual Control – Provide choice around the collection, use, and disclosure of personal data in a manner that reflects the sensitivity of the data collected and its intended use.
  • Transparency – Provide clear, plain language notice that describes how personal data is collected, used, and disclosed to third parties.Respect for Context – Limit the use and disclosure of personal data to only those purposes that are consistent with consumers’ expectations.
  • Security – Maintain reasonable administrative and technical safeguards to mitigate risks to personal data that include loss, destruction, and unauthorized use or access.
  • Access and Accuracy – Ensure that personal information is accurate and provide consumers with reasonable access and the ability to correct the personal data that they maintain.
  • Focused Collection – Collect only as much personal data as is needed to accomplish purposes consistent with consumers’ expectations.
  • Accountability – Employ data management practices that include employee training, regular evaluations of internal data management procedures, and enforceable contractual obligations to ensure proper use and disclosure of data by third parties.

Create Voluntary, Enforceable Privacy Codes of Conduct

The Administration will convene a multi-stakeholder process to develop voluntary, yet legally enforceable, codes of conduct that implement the Bill of Rights.  The process, which will be led by the Department of Commerce’s National Telecommunications and Information Administration (“NTIA”), will be open to industry, consumer groups, and state and federal government stakeholders.  The NTIA, along with support from the FTC, will work with the stakeholder groups to identify markets and industry sectors that involve significant consumer data privacy issues and may be ripe for an enforceable code of conduct.

Strengthen FTC Enforcement Authority

The framework recognizes the FTC as the federal government’s leading consumer privacy enforcement authority and it positions the FTC as the primary entity to enforce the Bill of Rights as well as the commitments of companies that voluntarily agree to adopt the codes of conduct.

Encourage Global Interoperable Privacy Frameworks

The framework recognizes the impact of disparate national legal standards on cross-border data flows, and it encourages increased engagement with international partners to increase interoperability in privacy laws.  Specifically, the framework supports mutual recognition of different commercial data privacy frameworks, including joint enforcement efforts that are conducted according to publicly-announced policies.  The Administration also encourages international stakeholders to identify globally-accepted accountability mechanisms, such as the Asia-Pacific Economic Cooperation’s (“APEC”) voluntary system of Cross Border Privacy Rules, that can be used to develop international codes of conduct that would simplify compliance burdens faced by multinational organizations.

Within the framework, the Administration urges Congress to pass legislation establishing the Bill of Rights as the legal baseline that governs consumer data privacy in theU.S.; nevertheless, the Administration encourages industry stakeholders to move forward in adopting the principles within the Bill of Rights in the absence of legislation.  The Administration’s legislative proposal also would permit the FTC and State Attorneys General to directly enforce the Bill of Rights, as well as give the FTC the authority to approve (or reject) codes of conduct developed under the multi-stakeholder approach and grant a safe harbor to companies that follow a code of conduct that the FTC has reviewed and approved.  Lastly, the Administration supports the creation of a national personal data breach notification standard that would preempt the existing patchwork of state laws.

Other Privacy Initiatives

The White House privacy framework is only one of several current federal and state initiatives that will have significant implications for businesses that collect consumer personal information online.  Most notably, the FTC is expected to issue its final consumer privacy framework within the next few weeks.  In addition, the California Attorney General announced on February 22, 2012, that the six leading operators of mobile application (“app”) platforms have agreed to privacy principles that will help bring the mobile app industry into compliance with aCalifornia law requiring mobile apps that collect personal information to have a privacy policy.  The agreement with Amazon, Apple, Google, Hewlett-Packard, Microsoft, and Research in Motion requires that mobile app developers provide a privacy policy before consumers download an app and disclose the extent to which they collect, use, and share a user’s personal information.  Mobile app developers that fail to comply with their privacy policies will be subject to prosecution under California consumer protection laws.

Kelley Drye & Warren LLP

Kelley Drye & Warren’s Privacy and Information Security practice is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients’ customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.

For more information about this advisory, contact:

Dana B. Rosenfeld
(202) 342-8588

Alysa Zeltzer Hutnik
(202) 342-8603