Eye on Privacy: How Will a Consumer Privacy Bill of Rights Affect Your Marketing?
A little over a year ago, the Commerce Department and the Federal Trade Commission (FTC) issued preliminary reports from their respective task forces that were looking at online privacy. It is now 14 months later and the Commerce Department has released a Consumer Privacy Bill of Rights. In two weeks, the FTC is expected to release its final privacy document. The question on marketers’ minds is “How have things changed over the past year and how will the Consumer Privacy Bill of Rights impact your business?”
The Consumer Privacy Bill of Rights is actually one element in a privacy framework that also includes:
- A multistakeholder process to determine how the principles within the Bill of Rights will be translated into commercial codes of conduct that will be lead by the National Telecommunications and Information Administration (NTIA),
- Effective enforcement that balances FTC and state Attorney General interests,
- Increased international interoperability that would build on the current Safe Harbor framework.
The Consumer Privacy Bill of Rights consists of seven principles:
- Individual Control gives consumers the right to exercise control over what data businesses collect and how they use it. In the past, we have referred to this principle as “choice.” Most marketers who have direct relationships with consumers already provide choice about data collection. This principle, however, will also apply to third party collection, such as data brokers, who might be obtaining data through public records. While there is recognition that the principle will be more challenging for third party collection, it will still apply. Consumer responsibility is a second component to this principle. A third component allows companies to protect data collected before implementing the Consumer Privacy Bill of Rights.
- Transparency gives consumers the right to easily accessible and understandable statements about privacy and security practices. This was formerly known as “notice” and should include what data is collected, how it will be used and shared and when it will be deleted.
- Respect for Context is most closely associated with “purpose” and “use.” It gives consumers the right to expect that companies will use and disclose data in a manner consistent with the purpose for which it was collected. This is closely tied to Transparency and will present challenges as marketers consider the age and sophistication of the consumers they serve.
- Security gives consumers the right to secure and responsible handling of their personal information.
- Access and Accuracy gives consumers the right to access and correct personal data based on the sensitivity of the data or the potential for harm caused by inaccurate data. This is sometimes referred to as “data quality” or “access and correction.” The challenge for marketers is the cost for access and correction when weighed against the use of the data for marketing. This is an area that will need to be clarified in the vetting process.
- Focused Collection gives consumers the right to expect reasonable limits to the data a company collects and maintains. This is sometimes known as “collection limitation” and is tied closely to Transparency. An additional consideration of this principle is that companies will securely dispose of data or de-identify it once it is no longer needed.
- Accountability gives consumers the assurance that their data is being handled by companies who are adhering to these principles. This principle encompasses a number of commitments including adopting the principles, training employees, auditing systems and processes and being accountable to enforcement authorities.
This is only a first step in a process. The NTIA will begin bringing stakeholders together to produce codes of conduct. There will be discussion about codifying the Consumer Privacy Bill of Rights. The FTC will release their report on privacy. This is not a time to be complacent. Engage with your trade associations and understand your risks.