Privacy in Principle (As California Goes, So Goes the Nation? Part Four)
What happened in the privacy world last week? Well, on Friday, the White House officially released its long-anticipated white paper setting forth a framework for "Protecting Privacy And Promoting Innovation in The Global Digital Economy," including a Consumer Privacy Bill of Rights. Justine blogged about this on Friday here. But something else happened on Thursday, just before the release of the White House Paper. Here in California, Attorney General Kamala Harris announced an agreement with Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research In Motion, the leading operators of mobile application platforms - let's call it the App Agreement for purposes of this post, and the six companies the App Platform Participants.
What does the App Agreement say?
Is the App Agreement law?
No. The App Agreement is a "Joint Statement of Principles," it is not legally binding. It explicitly states that it is "not intended to impose legally binding obligations on the Participants or affect existing obligations under law."
How does California law define personally identifiable information? Just name with Social Security number, financial account number, or driver's license number, right?
No, CalOPPA has always broadly defined PII for purposes of online privacy policies to include individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form. Such information includes any of the following: (1) A first and last name. (2) A home or other physical address, including street name and name of a city or town. (3) An e-mail address. (4) A telephone number. (5) A social security number. (6) Any other identifier that permits the physical or online contacting of a specific individual. (7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.
What does the App Agreement have in common with the White House Consumer Privacy Bill of Rights?
Two of the principles set forth in the White House's new Consumer Privacy Bill of Rights have long been incorporated in CalOPPA and are reiterated and reaffirmed by the App Agreement: Transparency and Access and Accuracy. California has long required that organizations conspicuously post their privacy policies so that consumers can more easily obtain information about their privacy rights. California has also long required that companies explain to consumers how they can review and request changes to their PII.
Both documents and the principles set forth therein also find their origins in the decades-old Fair Information Practice Principles (FIPPs).
Ms. Harris's requirement that the App Platform Participants engage in ongoing discussions with the AG's office and reconvene in six months also resonates with the Obama Administration's contemplated multi-stakeholder approach to produce enforceable codes of conduct that implement the Consumer Privacy Bill of Rights.
While we're talking about this, anything else to consider about California law?
Consumer Privacy "Rights" - Not Just for Californians Anymore
Once again, California is driving the conversation on privacy. Principles that may have once seemed outside the mainstream or just another crazy California thing, long memorialized in actual binding law out here, are now going mainstream in this country. They are also moving US conceptions of privacy closer to the European model of core user privacy rights, albeit with a uniquely US multi-stakeholder non-binding flavor. Will we see federal legislation that embodies these principles? Unknown and perhaps unlikely in the short-term. However, given existing California law on this issue, Attorney General Harris's renewed focus on privacy (especially in the ubiquitous mobile space), and the likelihood of increased enforcement and class action litigation for organizations doing business in California, the time may be right for all organizations to reexamine their privacy practices with an eye towards these principles.