Yesterday afternoon, the White House issued its long-awaited “Consumer Privacy Bill of Rights”  – a 46-page report arguing the need for stronger privacy rules for both consumers and business. The report is based in large part on the draft Department of Commerce “Green Paper” privacy report  that was released in December 2010. This bill of rights calls for companies to abide by a slightly rearticulated set of the Fair Information Practice Principles, and for industry, advocates, and regulators to come together to negotiate specific, legally enforceable codes of conduct on emerging privacy issues. The Department of Commerce is tasked with convening diverse stakeholders and coordinating the development of these consensus rules.
The biggest difference between the two versions of the report is that the administration is now calling for comprehensive privacy legislation to implement its privacy framework (the Green Paper did not take a position on the need for legislation). This is a significant change; CDT’s primary criticism  of the Green Paper was that we were skeptical that companies would sign up for “voluntary codes of conduct” absent underlying legislation that incentivized companies to adopt them (such as deemed compliance with the law, or immunity from private suits). The Department of Commerce and the White House now agree that legislation would be the best way to implement their framework.
That said, the Administration knows that it will be challenging to move major legislation in the last nine months of this Congress in an election year, so it is moving full speed ahead with its multistakeholder convenings without waiting for Congress to act. While this raises questions about how effective the convenings will be, the desire to move quickly (the White House press release is entitled “We Can’t Wait,”  after all) is understandable. Consumers are increasingly nervous  about what companies do with their personal information, and we may be nearing an inflection point  where consumer wariness about privacy is a serious threat  to adoption of new technologies and services.
At least as important, the administration wants to show leadership on privacy at a time when the European Union is fundamentally reworking  its own data protection framework. The US has been heavily lobbying  the European Commission to allow for flexibility in the new law and to not disadvantage cross-border data flows. However, without better privacy protections in place here at home, the US is arguing from a position of relative weakness. Thus, the move to push for a “coregulatory” scheme (based on consensus-driven rules) rather than the US’s historical pure self-regulatory model, which most everyone agrees has failed  to provide sufficient privacy protections.
And while CDT (and now the Administration) feels that consensus-based rules would work better as part of a legislative framework, there is still an opportunity for significant progress in the meantime. The administration’s bully pulpit to drive (or shame) companies to come to the table to negotiate better privacy rules is not insignificant, especially with bigger companies who may have had privacy issues in the past, or who also want to demonstrate progress in the US to European regulators. It is also notable that most leading consumer groups, many of which were strongly resistant  to “voluntary codes of conduct” as part of legislation two years ago, are now supportive  and willing to engage  in a multistakeholder process.
It’s not entirely clear what form these multistakeholder convenings will take, or what issues the Department of Commerce will tackle first. In principle, however, CDT believes that multistakeholder negotiations can certainly be a way to develop smart and effective protections on emerging privacy issues (we released a paper on multistakeholder governance  yesterday). And if we all demonstrate that this process can work in practice, we lay the groundwork for a more comprehensive legislative approach based on this model in the future.
An Important First Step on “Do Not Track”
Meanwhile, in the run up to the announcement of the final privacy report, the Digital Advertising Alliance — the supergroup  of online advertising industry associations — announced  that its members would commit to honor the “Do Not Track” setting in web browsers by the end of the year. For CDT and other consumer groups who have been calling for “Do Not Track” since 2007 , this is obviously huge news. Over the last year, most browsers have implemented a setting to broadcast to all websites a signal indicating an instruction not to track; however, up to now, only a few ad networks  have taken steps to acknowledge or respond to such a signal.
Of course, the devil is going to be in the details, and the DAA’s announcement was vague as to what exactly its members would be committing to. That’s fine for now — just agreeing to recognize user preferences in the first place is a big step forward. However, if the eventual standard for “Do Not Track” allows companies to amass tracking profiles on consumers despite receiving a “Do Not Track” signal, this effort is doomed for failure. The DAA’s current definition  of “opting out” of behavioral advertising is an improvement over other self-regulatory efforts in recent years, but still allows companies to track users across the internet indefinitely for vaguely defined purposes such as “market research” and “product improvement.” Obviously, if as user signals “Do Not Track” to websites, there are going to need to be stronger limitations on the collection, usage, and retention of cross-site data by marketing (and other) companies.
Fortunately, industry has been actively engaging with advocates and regulators in the World Wide Web Consortium (W3C) process  to articulate precise rules for what a “Do Not Track” instruction should mean. Google, Microsoft, Apple, Yahoo!, the Interactive Advertising Bureau, and others have been negotiating in brutal, painstaking detail  issues such as data minimization, frequency capping, first and third parties, and yes, market research and product improvement with consumer groups like CDT, academics, and regulators from the US and Europe. We are hopeful that this hard work will serve as the basis for the commitment that DAA members eventually take with respect to “Do Not Track.” As the White House has embraced multistakeholder collaboration as the means to achieve progress on privacy protections, it is clear that “Do Not Track” must be decided in a collaborative process, not behind closed doors by industry alone.