Obama Administration's New Computer Privacy Framework Poses New Challenges for Digital Stakeholders
Pharmaceutical Law Update
In an attempt to provide some guidance and perhaps some unifying or overarching themes, the Obama Administration recently released its long-awaited white paper proposing a new framework for online privacy protections. The report, titled "Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy," announces four guiding pillars that the administration hopes will serve as a template for future federal legislation and regulatory enforcement: (i) a Consumer Privacy Bill of Rights; (ii) a multi-stakeholder process led by the Department of Commerce to design procedures for applying the Bill of Rights in particular contexts; (iii) effective enforcement by the FTC; and (iv) commitment to increase interoperability with the privacy frameworks of the United States' international trading partners (the United States is often perceived as behind the curve on consumer privacy issues).
Goals of Online Privacy Framework
The administration's proposed framework has two primary goals: effectively monitoring commercial uses of personal data and ensuring companies disclose personal data gathered for marketing purposes that are reasonably consistent with the context in which the data is provided. The white paper defines personal data broadly to refer "to any data, including aggregations of data, which is linkable to a specific individual," and may include "data that is linked to a specific computer or other device." This broad definition, according to the administration, is vital because it "provides the flexibility that is necessary to capture the many kinds of data about consumers that commercial entities collect, use, and disclose."
However, this expansive definition of personal data also means that advertising and technology companies will likely have to restrict the ways in which they use data collected from consumers' online activities. For instance, under the proposed framework, third-party websites, which are networks that collect and use data to serve advertising tailored to the user, could be limited to using data solely for market research and analytics purposes. These sites have historically escaped stringent regulation, and have drawn the ire of some privacy advocates for their ability to create detailed user profiles and to serve users ads based upon their online behavior and profiles. Those same privacy advocates contend that such third-party sites collect data without the user's awareness – either as a result of confusing, "legalistic" privacy policies or the complete lack of any disclosure whatsoever – that they are doing so. The administration intends to create enhanced oversight and enforcement mechanisms in order to address consumer concerns about what data is being collected and how that data is being used by search engines, individual websites and online advertisers.
Consumer Privacy Bill of Rights
The centerpiece of the framework is unquestionably the Consumer Privacy Bill of Rights, which consists of seven principles designed to provide consumers greater control over both the types of personal data collected as well as how such information is used, shared, transferred or sold.
Individual Control: a right to exercise control over personal data collected
Transparency: a right to understandable and accessible information about data privacy and security practices
Respect for Context: a right to expect that companies will collect, use and disclose personal data in ways that are consistent with the context in which it is provided
Security: a right to secure and responsible handling of personal data
Access and Accuracy: a right to access and to correct personal data in usable formats, and in a manner that is appropriate to the sensitivity of the data
Focused Collection: a right to reasonable limits on the personal data collected and shared
Accountability: a right to have personal data handled by only those who will adhere to the principles set forth in the Privacy Bill of Rights
Administration Wants Companies to Take Framework Seriously
Although the white paper does not have the force of law, the administration hopes that it will serve as a "wakeup call" to companies that have seemingly resisted changing their data-collection or disclosure practices despite previous calls for reform by consumer protection and privacy advocates. Already, companies have listened.
Within days of its release, prominent online networks accounting for the delivery of nearly 90 percent of online behavioral advertisements—including heavyweights Google, AOL, Yahoo! and Microsoft—agreed to implement a form of Do Not Track technology, subject to enforcement by the FTC. Just hours after the white paper's release, Google announced it would implement a Do Not Track option on its browser, Chrome, which would enable users to inform sites that they do not want their browsing activities monitored or tracked. Adoption of the Do Not Track option was a startling reversal by Google, and put it in league with other prominent browsers that have already adopted Do Not Track, including Internet Explorer, Mozilla Firefox and Apple's Safari. From a consumer/privacy standpoint, one concern is that such data will be collected by websites and other third-party sites for the purpose of serving targeted ads. Another area of concern are companies that can track users' online behavior and create unique "user profiles" based upon aggregations of such behavioral data. These user profiles can be shared with marketing companies that serve targeted ads as well as other direct marketing communications based upon consumers' perceived preferences. While the implementation of privacy-protective measures such as Do Not Track may be comforting for consumers and privacy advocates, this trend could present potentially severe problems for companies in the extremely lucrative online advertising industry. According to the Interactive Advertising Bureau, digital advertising revenues in the U.S. were $7.88 billion for the third quarter of 2011—22 percent higher than the same period in 2010. Widespread implementation of Do Not Track could drastically decrease the amount of data collected by online ad companies such as DoubleClick (owned by Google) and Advertising.com (owned by AOL).
No Firm Enforcement Mechanism in Place
There is currently no mechanism in place to police compliance with the Privacy Bill of Rights. The administration hopes that the white paper will serve as a model for federal legislation that will codify the Bill of Rights. Most importantly, the administration wants Congress to provide the FTC and state Attorneys General power to investigate violations of any resultant legislation. However, given the gridlock in Congress and the focus on electoral politics, it is highly doubtful that Congress will enact any comprehensive legislation prior to year's end.
While the White House's desire for concerted action to increase consumer confidence is admirable, there is little incentive to agree to voluntary codes of conduct as they would create objective standards for which perceived failings could be addressed in an FTC action. The Privacy Bill of Rights is designed to create more certainty for digital companies (in lieu of the current patchwork of federal and state-by-state laws), but there can be no doubt that a new privacy regime modeled entirely on the consumer-focused Bill of Rights would, in all likelihood, restrict companies' online commercial opportunities and possibly lead to a flood of class action lawsuits.
For now, companies should be aware that the white paper has been proposed as a general framework for federal legislation in the future. The Obama Administration has not specified when the Department of Commerce will begin convening the proposed multi-stakeholder processes to develop new codes of conduct for digital companies. We will continue to monitor any developments in this rapidly developing area.