The White House recently released its proposal for simplifying the landscape of privacy regulations to provide consumers with a better understanding of how their personal information is collected, used, and shared. The proposal, entitled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy” (the “Privacy Framework”), urges Congress to adopt a Consumer Privacy Bill of Rights (“Bill of Rights”) and sets forth a framework for regulations, implementation processes, and multistakeholder involvement in the creation of a more streamlined privacy regime.

The White House’s Privacy Framework has four primary elements, including (1) the Bill of Rights, (2) a multistakeholder process to help design enforceable codes of conduct to specify how the Bill of Rights will apply in specific business contexts, (3) Federal Trade Commission (“FTC”) enforcement, and (4) a focus on increasing the interoperability of U.S. privacy frameworks with those of countries around the world. Many of the considerations included in the Privacy Framework were also included in the FTC’s proposed framework, released in December 2010, which covered principles such as simplified choice, privacy by design, transparency, and “Do Not Track.”

Before explaining the four components of the Privacy Framework, it is important to clarify the definition that the White House used for “personal data.” The White House definition of “personal information” is broad, and includes any information that can be linked to a specific individual. This means that a person’s name, email address and mailing address may all fall within the definition of “personal information.” It also appears to be broad enough to extend to specific computers and unique identifiers associated with mobile devices. Thus, any company that collects, uses, or shares this type of information should understand the Privacy Framework.

The four components are as follows:

1. Consumer Privacy Bill of Rights

First, the Privacy Framework provides a Bill of Rights, which covers “commercial uses of personal data.” Thus, this portion of the Bill of Rights applies to companies that collect personal information as part of their business, even if they do not “sell” or “rent” that information. For companies interested in the “rules” related to data collection practices, this section of the Privacy Framework should be a focal point, as it provides an idea of what the White House will emphasize when determining the necessary disclosures.

The Bill of Rights has seven focuses, including individual control, transparency, respect for context, security, access and accuracy, focused collection, and accountability. While each of these elements is described separately, they all work together within the Privacy Framework. For example, individuals are urged to exercise more discretion when providing information online, but online companies are urged to provide consumers with more opportunities to understand how their personal information is being used and to ensure the accuracy of information stored about them. This means that companies are being urged to have clearer notices and policies related to the collection and use of personal information.

In this regard, the Privacy Framework suggests that consumer choice be simplified and privacy policies be made easier to follow, with disclosures regarding uses of personal information being provided at the time and location of collection as well as in privacy policies. The content of—and requirement for—such disclosures would depend on the situation as consent may be inferred in some instances, but not in others. For example, consumers often infer that an online store will share their address and name with a shipping company in order to supply them with their purchases. However, consumers may not know how data brokers and other collectors of information are using that information.

Further, the Privacy Framework recommends that consumer-facing online companies become gate keepers, ensuring that they understand how third parties, such as online behavioral advertisers, will use consumer data collected through their sites. As a gate keeper, these companies are in the best position to affect the flow of the personal information, and limit the disclosure to third parties. On the other hand, data brokers, companies whose business it is to create profiles about individuals based on the information they are able to collect online, are urged to take steps to make their collection processes more transparent.

Finally, in this portion of the Privacy Framework, the White House recommends that consumer-facing companies and companies processing consumer data have contracts in place with service providers to ensure the proper handling of consumer personal information.

While the Bill of Rights is the primary feature of the White House’s Privacy Framework, to have the strength that the Framework appears to foresee for it, the White House also includes a call to Congress to create legislation to codify the Bill of Rights. Such legislation would provide additional support for the other provisions of the Privacy Framework and set the groundwork for more uniform legislation protecting consumer personal information.

2. Multistakeholder Process

Under the proposed Privacy Framework, the general principles of the Bill of Rights would be implemented by consulting with multiple individuals, agencies, industry groups, and other interested parties (referred to as “multistakeholders”) to determine how it should be applied in specific industries. These meetings would take place even in the absence of legislation codifying the Bill of Rights. This process appears similar to the FTC’s “roundtables” where it invites members of the public to come and discuss issues of concern. Using these multistakeholder roundtables, the Privacy Framework suggests that these multistakeholder groups create codes of conduct dictating how industry groups will handle consumer personal information. While the codes of conduct will be voluntary, the Privacy Framework suggests that companies will participate in the process to increase consumer trust and in hopes of avoiding an FTC enforcement action by demonstrating adherence to an accepted code of conduct.

Additionally, the Privacy Framework recommends that Congress grant the FTC authority under the Administrative Procedure Act to review and approve codes of conduct and to grant a “safe harbor” whereby companies may implement a code of conduct that has been reviewed and approved by the FTC in an attempt to avoid enforcement. This is similar to the safe harbor program in effect for the Children’s Online Privacy Protection Act, whereby companies that implement the program created by TRUSTe (or other organizations with safe harbor programs) may avoid enforcement by ensuring that their program complies with the Act.

3. Enforcement

The FTC is encouraged to take the implementation of a code of conduct into consideration when moving forward with an enforcement action and to view adoption of such a code favorably. And, where a company claims to abide by a code, such a statement will likely be enforceable under Section 5 of the FTC Act, through which the FTC investigates companies that engage in unfair and deceptive trade practices. Among other things, the FTC currently targets companies that fail to enforce the provisions of their privacy policies based on their Section 5 authority. Effective enforcement is a cornerstone of the proposed Privacy Framework.

4. U.S. Interoperability with International Partners

Intertwined with the Bill of Rights is the idea that the U.S. should adapt its privacy regulations to be more consistent with international regulations, where possible. The Privacy Framework recognizes that it is often difficult for companies to transfer personal data across national borders due to the differences in privacy laws from country to country. The White House suggests that international companies take part in the multistakeholder process to facilitate a global consensus regarding the privacy issues faced by consumers and companies. The current US-EU Safe Harbor Framework may one day be supplemented by codes of conduct “reflecting transatlantic consensus on important, emerging privacy issues.”

In addition to having a goal of more interoperability between the US and foreign jurisdictions, the Privacy Framework also has a goal of there being a more unified standard in the states and the federal government. In this regard, the White House explains that the federal laws that would be implemented as a result of the Privacy Framework would supersede inconsistent state laws to help create uniformity in privacy legislation.

In addition, the Privacy Framework proposes exempting companies’ activities where those activities are already covered by existing privacy legislation. For example, the Privacy Framework does not intend to overrule the Health Insurance Portability and Accountability Act (HIPAA) for the medical industry or the Gramm Leach Bliley Act (GLB) for the financial industry, but intends to supplement these laws. The Privacy Framework also considers amending current laws to simplify and clarify which laws apply in which situations and creating a more standardized approach to privacy and data breaches across state and federal governments. It would create a federal breach notification statute and help companies to have a clearer understanding of what is required of them.

* * *

Overall, the proposed Privacy Framework focuses on creating uniformity and clarity across the privacy legislation currently in place today. It considers enforcement techniques, the need for accountability and specified standards for those companies that handle consumer personal information. If Congress heeds the call, privacy legislation may be in the works to implement the Bill of Rights. If not, it appears that the current administration will still work with the FTC, other agencies, and industry groups to implement many of the goals presented in the Bill of Rights.

All companies that handle consumer information should be aware of the Bill of Rights and the proposed Privacy Framework. Arent Fox is continuing to monitor updates in the privacy industry. Please contact the attorneys listed at right with questions.