What Do the Consumer Privacy Bill of Rights and Net Neutrality Have in Common?

On Friday, February 27, as many contemplated the Federal Communications Commission’s votes on network neutrality and municipal broadband, the White House released a discussion draft of the Consumer Privacy Bill of Rights Act of 2015. The bill, not yet introduced in Congress, aims to establish baseline protections for individual privacy in the commercial arena and to foster timely, flexible implementations of these protections through enforceable codes of conduct developed by diverse stakeholders. Back in January, in the lead up to his State of the Union Address, President Barack Obama promised this legislation as a follow up to the Administration’s 2012 Consumer Privacy Bill of Rights. Although prospects for the draft bill seem minimal in a Republican-controlled Congress, the Consumer Privacy Bill of Rights – coupled with the net neutrality decision – mark a new commitment to both discuss privacy protections and enforce them.

The Consumer Privacy Bill of Rights Act of 2015

The White House proposal, at its core, calls on industries to develop their own codes of conduct on the handling of consumer information. It also charges the Federal Trade Commission with making sure those codes of conduct satisfy certain requirements — like providing consumers with clear notices about how their personal details will be collected, used and shared. Companies that violate those requirements could be subject to enforcement actions by the FTC or by state attorneys general.

In a fact sheet accompanying the draft legislation, the White House said the proposal seeks to provide "consumers with more control over their data, companies with clearer ways to signal their responsible stewardship over data and strengthen relationships with customers, and everyone with the flexibility to continue innovating in the digital age.” Here’s how the White House summarizes the bill:

This legislation would provide consumers with clear rights to exercise individual control over data, including to:

• Understand How Data Will Be Used — with up-front, plain-language notices to tell consumers how their information will be collected, used, and shared.
• See and Correct Data Held by a Company – to provide consumers with a better understanding of the data companies store and process concerning consumers, as well as the opportunity to correct inaccurate information.
• Keep Data in the Proper Context — to ensure that sensitive data provided for one purpose is not then reused or resold in ways that would cause surprise and concern.
• Remove their Data — to ensure consumers who want to cancel their accounts or remove their data have the opportunity to do so.

While allowing our entrepreneurs and companies to:

• Understand Privacy Risk — with important definitions of the kinds of harms for which companies should be on the lookout, and take steps to prevent.
• Focus Collection of Data — by not collecting unnecessary, sensitive data that, when stored, could create risks for companies’ security, bottom line, and the trust of their users.
• Develop Codes of Conduct Specific to their Industry — to provide more tailored best practices for particular business sectors, that when approved by the Federal Trade Commission, would provide safe harbors for responsible use of data.
• Prepare and Use Customary Business Records – by identifying how this basic need of businesses fits into a privacy-protective framework.

The White House says this discussion draft builds on the United States’ tradition of strong privacy enforcement, empowering the FTC and state attorneys general to monitor and enforce its provisions. At the same time, it recognizes the dynamic nature of the information economy by:

• Preserving Data Innovation — making clear that companies can still use collected data for customary business purposes, and to protect consumers, respond to their preferences, and improve services.
• Protecting Small Businesses — ensuring that startups, companies with minimal data holdings, and those with little to no impact on consumer privacy do not face unnecessary new burdens.
• Anticipating Changes in Technology — allowing the FTC to dynamically interpret the definition of “context,” and adjust the range of covered entities, to account for emerging technologies and business practices.

While the White House’s proposal does not explicitly require companies to obtain affirmative consent to collect health information, it does call on companies to give individuals reasonable means to control the use of their personal data, depending on the context and “in proportion to the privacy risk.”

A Tepid Response

Upon its release, the Consumer Privacy Bill of Rights garnered little support. “Instead of codes of conduct developed by industries that have historically been opposed to strong privacy measures, we need uniform and legally-enforceable rules that companies must abide by and consumers can rely upon,” said longtime privacy advocate Senator Ed Markey (D-MA).

Privacy expert Omer Tene, however, thinks the Consumer Privacy Bill of Rights Act could be a powerful tool: “Today, the Federal Trade Commission (FTC), already the most powerful privacy regulator in the world, is armed with a slingshot. It has interpreted its authority under Section 5 of the FTC Act to enforce against “unfair or deceptive acts or practices,” which dates back to the 1930s, judiciously, incrementally—some think overcautiously. By comparison, the [the Consumer Privacy Bill of Rights] would provide the FTC with a military-grade automatic weapon. It would empower the agency to effect a sea change in entire swaths of the data economy that have thus far been sparsely regulated.”

Alvaro Bedoya, Director of the Center on Privacy and Technology at Georgetown's law school, worried that Obama's proposal could actually preempt state laws, in favor of letting companies collect what they want as long as they maintained some level of transparency. He cites rules in Illinois and Texas that ban companies from collecting biometric information without permission. "This bill would erase those protections without offering any clear replacement," he said, adding that it "seems to assume a world where all of our data is collected about us, all of the time." Ultimately, Bedoya hopes whatever reaches Congress will be more specific and authoritative, opening the door to meaningful reform.

In some ways, offered Ryan Calo, an Assistant Professor at the University of Washington School of Law, the draft bill would afford consumers more privacy rights than they currently have. Consumers are allowed to see information about them held by credit reporting agencies, but do not have the right to see, correct, or delete data that is collected about them for other purposes. The draft legislation would extend credit-reporting protections to more categories of consumer data, such as that held by advertisers or makers of wearable devices. The FTC can prosecute a company for “unfair or deceptive trade practices” but does not require that companies share data with consumers or submit to government audits of their software. But Calo said that, in creating a federal standard for data collection, the bill could disempower individual states, particularly California, which has been at the forefront of digital privacy legislation.

Consumer Watchdog said the bill is "full of loopholes" and it "envisions a process where industry will dominate in developing codes of conduct."

The Center for Digital Democracy said it relies too much on companies' judgment to decide whether information is sensitive and how it should be managed, limiting the FTC's power. "Although the President's Privacy Bill of Rights promised transparency and control, it creates a labyrinth-like process that consumers must navigate before they can actually access and correct their own data records held by companies."

The Center for Democracy and Technology said it "falls short on the privacy protections needed in today's digital world." [see CDT's analysis of the bill]

Consumer Watchdog and the Center for Democracy and Technology joined the Electronic Frontier Foundation, Public Knowledge and many other groups who expressed concern that the draft bill doesn’t go far enough to protect consumers. The groups criticized the draft bill for not adequately defining “what constitutes sensitive information,” not being clear about whether it protects large categories of information like geolocation data, allowing companies to retain user data indefinitely for criminal investigations without placing clear limits on data retention for that purpose, and not offering heightened protection for information about children and teens. In addition, the organizations take issue with being left out of consultations. In a letter the groups calls for the Obama Administration to work with the privacy groups to craft a bill that “creates strong, meaningful protections for consumers.”

While the privacy groups criticized the proposal as offering weak protections for consumers, some business groups said the plan would create too many regulations for businesses.

The Information Technology Industry Council -- a group supported by Microsoft Oracle, Facebook, Google and other technology companies -- struck a cautionary note. “The U.S. has a robust legal framework of privacy protections that protect consumers’ information while enabling industry to continue to innovate and offer the services that consumers rely on and expect,” the group said. “Any efforts to modify this framework must be carefully considered with a meaningful opportunity for all relevant stakeholders to participate in the process.” Currently, industry practices tend to run counter to the goals of the legislation. By and large, companies offer densely-worded privacy policies that reserve rights to collect users’ data in perpetuity and explain very little about how data may be used.

Several existing laws already provide strong privacy protections to consumers, said the Association of National Advertisers. The proposal “unfortunately is a major step in the wrong direction,” ANA Group Executive Vice President Dan Jaffe wrote. “It will divert attention and energy from critical data security legislation and will not materially aid the privacy debate.”

Microsoft heralded the draft bill as a welcome first step in improving consumer trust in how companies handled their information. “The White House framework tackles issues that are crucial to build trust and foster innovation,” wrote Brendon Lynch, Chief Privacy Officer of Microsoft. “Not all will agree with every aspect of the proposal — some will say it goes too far, while others will say it doesn’t go far enough — but it’s a good place to start the conversation.”

Industry analysts said that the proposal, along with several other legislative efforts on commercial privacy, was unlikely to be enacted in a Republican Congress.

"The good news is this bill is dead in the water," said Berin Szoka, President of TechFreedom. "With its credibility on privacy in tatters, the Administration apparently gave up on finding Congressional sponsors for the bill."

Network Neutrality, Title II and Privacy

Circling back to February 26 and the FCC’s landmark vote on net neutrality, we see there’s privacy implications in the decision to regulate broadband services under Title II of the Communications Act and privacy expert Omer Tene sees as a connection, too: “In both cases, government sides with individual consumers trying to rebalance a playing field that many view as tilted in favor of a consolidated corporate power.”

As David Lazarus was quick to point out in the Los Angeles Times, Section 222 of the Communications Act requires that telecommunications companies protect customers' "proprietary information," that is the info relating to “the quantity, technical configuration, type, destination, location and amount of use of a telecommunications service subscribed to by any customer.” Section 222 also applies to information "that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship."

“This could be a game changer,” Lazarus writes, “requiring Internet service providers (ISPs) to seek customers' permission before monitoring or sharing personal information.”

Privacy advocates say this is probably a win for consumers, because for the first time ISPs will have to abide by a specific set of rules designed to protect the privacy of communications.

"Potentially, this could apply to every Web request you make," said Marc Rotenberg, head of the Electronic Privacy Information Center. "If the same safeguards that now apply to phone services are applied to broadband, this could have major implications for Internet service providers."

"Clearly, where you go and what you do on the Internet qualifies as proprietary information under the law," said the University of Washington’s Calo. "This potentially covers a lot of ground."

Conservatives are none too pleased with the President’s privacy proposal or the FCC’s net neutrality decision. The privacy proposal, coupled with the net neutrality rules, amounts to an attack on the Open Internet, says TechFreedom President Berin Szoka. The proposal would “fundamentally change the way Internet businesses work.” The proposal would have no impact on ongoing government surveillance programs, Szoka added. “It takes real chutzpah for the White House to talk about a Consumer Privacy Bill of Rights when the real Bill of Rights has never been more under siege—and this Administration has done precious little to defend them,” he said.

FCC spokesperson Mark Wigfield confirmed that the agency's decision did give it more oversight over the privacy practices of Internet service providers. The FCC will take further actions to define how those protections apply to broadband if necessary, he said.

Privacy advocates say the FCC is pretty aggressive at enforcing its current privacy rules on telephone providers. "The FCC's privacy regulations have worked very well, which is why so many people are unaware of them -- because they are so rigid about enforcing them, people don't even have to think about it," said Public Knowledge’s Harold Feld. "It's an area they've always taken...very seriously."

What could it mean for consumers’ experience of the Internet? Potentially, the FCC could rein in some controversial online tracking practices, like "supercookies," unique identifiers that some mobile broadband providers have been inserting into their customers' traffic, according to Feld, or at least require more robust consent mechanisms. "A lot of the practices we see on the broadband side are unthinkable on the telephone side because no one would even think of trying them," he said.

In practice, the new FCC rules are likely to mean that: 1) ISPs will have to fully disclose the terms and conditions of any broadband plan under the FCC’s transparency rules; 2) ISPs will be required to protect the privacy of their customers; and 3) Internet users no longer would be required to opt out of having personal information shared with others. Instead, broadband providers will likely be required to ask customers to opt in for such data sharing. Cable and phone companies will fight aggressively to maintain an opt-out standard for customer privacy. They know that relatively few people go to the trouble of opting out, which gives the telecom industry a powerful advantage.

Ultimately, we may see more “privacy premium plans” like the one AT&T is rolling out. The company charges a base price of $70 a month for its high-speed GigaPower broadband service. But that includes having AT&T snoop on your browsing and using the data to help marketers target you with ads. If that's not your cup of cyber-tea, AT&T will allow you to pay an extra $29 monthly to stop it from spying on you. GigaOm’s Stacey Higginbotham wonders, however, if AT&T’s Internet Preference Plan will stand up to FCC scrutiny. The FCC could take issue with AT&T’s use of deep packet inspection to watch where its customers are surfing, and use of economic incentives to essentially coerce customers into accepting this plan.

Conclusion: Is Privacy the New Antitrust

Omer Tene writes that “The role that antitrust played in the wake of the Industrial Revolution is being captured by privacy in the Digital Age. Privacy has become the boundary, the limiting principle, the litmus test for the delicate balance between the tremendous benefits and formidable risks of a dizzying array of technological innovations.”

We'll be tracking the privacy debate as it evolves and, as always, we'll see you in the Headlines.