The White House today released its white paper setting forth a framework for "Protecting Privacy And Promoting Innovation in The Global Digital Economy" (the " Framework"). The Framework is far reaching, touching on everything from a call for legislation, including a national standard for security breach legislation, to promoting international interoperability.
The Framework centers on The Consumer Privacy Bill of Rights, which contains seven core principles relating to “personal data.” Note that “personal data” is defined broadly, to encompass any data, including aggregated data, which can be linked to a specific individual, and may include data linked to a specific computer or other device. It is worth noting that the Framework includes, as an illustrative example of personal data, "an identifier on a smartphone or family computer that is used to build a usage profile."
The seven principles set forth in The Consumer Privacy Bill of Rights are as follows.
1. Consumer Control: granting consumers the right to exercise control over the personal data companies collect and how companies use that personal data.
Of note: The Framework calls for companies to provide “appropriate control” and for the choice to reflect the “scale, scope, and sensitivity” of the personal data collected and the uses made of the personal data.
2. Transparency: calling for consumers to have the right to easily understandable and accessible information about a company’s privacy and security practices.
3. Respect for Context: providing that companies should only collect, use, and disclose personal data in ways that are consistent with the context in which the consumers provided the personal data, unless the law requires otherwise or additional transparency and choice are provided.
Of note: The Framework includes both the company’s relationship with the consumer and the consumer’s age and familiarity with technology as relevant factors in determining the context in which consumers provide personal data and the uses that should therefore be made of that personal data. The Framework calls out children and teenagers as potentially needing greater protections for personal data.
4. Security: giving consumers the right to secure and responsible handling of personal data and requiring companies to provide “reasonable safeguards” to control risks.
5. Access and Accuracy: providing that consumers have the right to access and correct personal data, in usable formats, but further providing that the right is subject to what is appropriate given the sensitivity of the data and the risk of adverse consequences – also referred to as “material harm” –to consumers if the data is inaccurate.
Of note: The Framework also calls on companies to use “reasonable measures” to ensure the personal data they maintain is accurate and references providing consumers with the right to delete or suppress information – all subject to “the scale, scope, and sensitivity of the personal data that they collect or maintain and the likelihood that its use may expose consumers to financial, physical, or other material harm.”
6. Focused Collection: relating to the Context Principle (#3) and calling for consumers to have the right to set reasonable limits on the personal data that companies collect and retain, and calling on companies to securely dispose or de-identify the personal data collected once it is no longer needed, unless the company is under a legal obligation to keep it in its identified form.
7. Accountability: setting forth that companies must handle personal data with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights and that companies should be accountable to both enforcement authorities and consumers for following the principles in the Framework.
Of note: The Framework specifically states that companies should train employees and hold them responsible for adhering to these principles and that they should include enforceable contract clauses with third parties (unless the law requires otherwise) when disclosing personal data to those third parties. The Framework also provides that it will “where appropriate” companies should conduct full audits.
These principles provide the basis for a proposed multitude of initiatives, including legislation codifying The Consumer Privacy Bill of Rights, strengthening FTC enforcement, and the creation of “multi-stakeholder processes” and codes of conduct” which include an international cooperation component. There is sure to be a great deal of discussion and feedback from all of the industry stakeholders and it is unclear will take action to codify The Consumer Privacy Bill of Rights or any principle contained within the Framework. The Framework increases the visibility and adds to the privacy discussion, but the discussion will certainly continue.