Share/E-mail This Story

Email This



Could A Consumer Privacy Bill Of Rights Even Work?

from the must-we-formalize-everything? dept

The White House is making a big deal over its introduction of a Consumer Privacy Bill of Rights concerning corporation's use of personal data. Unlike Europe, where there are a bunch of privacy protection laws, the US has gotten by without such laws for the most part. I can certainly understand the desire for a bill of rights like this -- and like many, I'm creeped out about how some sites make use of my data (especially in that uncanny valley of targeted advertising) -- but I'm not so creeped out that I think a law is the answer. In fact, a few things about this plan leave me concerned.

Privacy rights is one of those things that seems like a good idea, but seems very difficult to actually implement effectively, without either stifling useful services that really aren't creepy or troublesome, or just creating a set of plans so meaningless as to be a waste of time. For example, we've long argued that privacy policies are pointless, but these days for many sites, it's required that you have one. This is one of those ideas that sounds good: of course a site should have a privacy policy! Except... no one reads these privacy policies, and most people (incorrectly) assume that if a site has a privacy policy, it means their information is private. But that's not necessarily the case. You could have a "privacy policy" that says "we widely share all your info and we mock you at the same time!" and as long as the company does just that, it's likely still a legit privacy policy.

And that leads to screwed up incentives. Basically, sites have the incentive to be broad, vague and not very thorough in their privacy policies, to avoid running afoul of their own rules (which is where they start getting into trouble with the FTC). If you create a really locked down privacy policy, it just means there are more opportunities for you to break those rules and face an issue with the FTC. Thus, to protect yourself, you write a very vague and broad privacy policy just to avoid having to worry about tripping over it.

My fear is that we end up with the same screwed up incentives, but on a wider scale, with this "bill of rights." Here's what the White House is suggesting:
  1. Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it. Companies should provide consumers appropriate control over the personal data that consumers share with others and over how companies collect, use, or disclose personal data. Companies should enable these choices by providing consumers with easily used and accessible mechanisms that reflect the scale, scope, and sensitivity of the personal data that they collect, use, or disclose, as well as the sensitivity of the uses they make of personal data. Companies should offer consumers clear and simple choices, presented at times and in ways that enable consumers to make meaningful decisions about personal data collection, use, and disclosure. Companies should offer consumers means to withdraw or limit consent that are as accessible and easily used as the methods for granting consent in the first place.
  2. Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices. At times and in places that are most useful to enabling consumers to gain a meaningful understanding of privacy risks and the ability to exercise Individual Control, companies should provide clear descriptions of what personal data they collect, why they need the data, how they will use it, when they will delete the data or de-identify it from consumers, and whether and for what purposes they may share personal data with third parties.
  3. Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Companies should limit their use and disclosure of personal data to those purposes that are consistent with both the relationship that they have with consumers and the context in which consumers originally disclosed the data, unless required by law to do otherwise. If companies will use or disclose personal data for other purposes, they should provide heightened Transparency and Individual Control by disclosing these other purposes in a manner that is prominent and easily actionable by consumers at the time of data collection. If, subsequent to collection, companies decide to use or disclose personal data for purposes that are inconsistent with the context in which the data was disclosed, they must provide heightened measures of Transparency and Individual Choice. Finally, the age and familiarity with technology of consumers who engage with a company are important elements of context. Companies should fulfill the obligations under this principle in ways that are appropriate for the age and sophistication of consumers. In particular, the principles in the Consumer Privacy Bill of Rights may require greater protections for personal data obtained from children and teenagers than for adults.
  4. Security: Consumers have a right to secure and responsible handling of personal data. Companies should assess the privacy and security risks associated with their personal data practices and maintain reasonable safeguards to control risks such as loss; unauthorized access, use, destruction, or modification; and improper disclosure.
  5. Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Companies should use reasonable measures to ensure they maintain accurate personal data. Companies also should provide consumers with reasonable access to personal data that they collect or maintain about them, as well as the appropriate means and opportunity to correct inaccurate data or request its deletion or use limitation. Companies that handle personal data should construe this principle in a manner consistent with freedom of expression and freedom of the press. In determining what measures they may use to maintain accuracy and to provide access, correction, deletion, or suppression capabilities to consumers, companies may also consider the scale, scope, and sensitivity of the personal data that they collect or maintain and the likelihood that its use may expose consumers to financial, physical, or other material harm.
  6. Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain. Companies should collect only as much personal data as they need to accomplish purposes specified under the Respect for Context principle. Companies should securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise.
  7. Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. Companies should be accountable to enforcement authorities and consumers for adhering to these principles. Companies also should hold employees responsible for adhering to these principles. To achieve this end, companies should train their employees as appropriate to handle personal data consistently with these principles and regularly evaluate their performance in this regard. Where appropriate, companies should conduct full audits. Companies that disclose personal data to third parties should at a minimum ensure that the recipients are under enforceable contractual obligations to adhere to these principles, unless they are required by law to do otherwise.

Now, I see a list like this, and, as a consumer, there are parts of it to which I instinctively say, "yeah, right on!" But, from the point of view of someone who runs a popular website, I look down that list and see possible pitfalls. There are a few areas where I could be afraid of accidentally violating such a "Bill of Rights," without meaning to and certainly without intending harm. That's what happens when you have vague laws. This isn't to say there should be a free for all, but I do worry that making this "Bill of Rights" a reality may chill certain innovative businesses, while also causing some disruptions for small ongoing businesses. This doesn't mean the issue shouldn't be tackled, but as with SOPA/PIPA, I'd rather there be a much clearer statement not just on the problem or the fix being worked on -- but on the wider implications of it.

And, if we're talking about "privacy rights," shouldn't the focus really be on the government? After all, in the real Bill of Rights we already have a 4th Amendment that is a form of privacy protection... and which the federal government keeps trying to chip away at. It seems kind of ironic that the same government that is talking about how we need a privacy "bill of rights" for consumers against companies, is actively trying to take away those same kinds of privacy rights when the government is involved...


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    BentFranklin (profile), Feb 23rd, 2012 @ 11:12am

    I would stop pushing the "uncanny valley" terminology re advertising. It's just targeted advertising, not at all the same thing as the AI meaning, aside from a similar sort of discomfort. It detracts from your valid points.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    :Lobo Santo (profile), Feb 23rd, 2012 @ 11:14am

    Wishful Thinking

    While the list is a bit vague, it generally shows some nice common sense.

    If it's going to be a law, it'll need ALOT more vague and ALOT less common sense.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Feb 23rd, 2012 @ 11:22am

    Re:

    But that is the point of Uncanny Valley. It is useful but uncomfortable. So you get ads targeted at what you need and not wasting time looking through coupons that are of no need to you.
    For example, if you are anti gun, have coupons for 25% off ammunition is a waste of advertising space. On the other hand if you are pro gun and you get a coupon for the type of ammunition you need for the gun you just bought, it is like you are being watched.
    So the point is not only relevant, it aids the article.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    Mike Masnick (profile), Feb 23rd, 2012 @ 11:22am

    Re:

    I would stop pushing the "uncanny valley" terminology re advertising. It's just targeted advertising, not at all the same thing as the AI meaning, aside from a similar sort of discomfort. It detracts from your valid points.

    Appreciate the feedback, but I think it's an important point. Really good targeted advertising isn't targeted advertising at all. It's just useful. So I think the analogy works and I'm sticking with it..

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    awbMaven (profile), Feb 23rd, 2012 @ 11:30am

    With opt-outs?

    A Privacy Bill Of Rights is not a Privacy Bill Of Rights when it has opt-outs.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Feb 23rd, 2012 @ 11:32am

    Re: Wishful Thinking

    And maybe a provision that adds "tax incentives" to "job creators".

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Feb 23rd, 2012 @ 11:34am

    Someone play the role of 'company' for me for a moment, pls

    "Companies should provide consumers appropriate control over the personal data that consumers share with others and over how companies collect, use, or disclose personal data."


    OK, how do I, as a netizen, check what is being shoved down my internet cable when I surf. In that way perhaps I can see what data is giving me away. Anyone know any apps, preferable free [open source] apps?

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    :Lobo Santo (profile), Feb 23rd, 2012 @ 11:39am

    Re: With opt-outs?

    There's a thought...

    Perhaps it would be possible to get a Constitutional Amendment passed which says something like "No person, entity, company. or agency shall suggest, request, or require in any manner that any person or persons give up any rights in any way."

    Of course, the law of unintended consequences on that one would be amazing to watch...

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    Y.Bhargav (profile), Feb 23rd, 2012 @ 11:41am

    Confusion ....

    So the US government want to form a consumer privacy bill rights and the H.R.1981 how exactly will these both work together.

    One demands the ISP keep track of everything the other demands they keep as little information as possible

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Chuck Norris' Enemy (deceased) (profile), Feb 23rd, 2012 @ 11:42am

    Re:

    I see your point but to me the term "uncanny valley" means the point at where it becomes creepy. In the case of robotics the improvement (or simplification) of the robots themselves could pull them out of the region of the uncanny valley. For targeted advertising it will be a change in perception/acceptance in human nature that will eliminate the uncanny valley. In the recent Target instance Mike would have to say that the teenager getting maternity/baby product coupons was useful but it still creeps us out.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    awbMaven (profile), Feb 23rd, 2012 @ 11:46am

    Re: Re: Wishful Thinking

    "And maybe a provision that adds "tax incentives" to "job creators"."

    Why the heck do 'job creators' need 'tax incentives'?

    A job needs to be done, or it doesn't. The job creator should create jobs that add value by the work done in the job.

    Subsidizing a job with tax breaks takes food out of the mouths of the poor & kills old ladies. ;)

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    awbMaven (profile), Feb 23rd, 2012 @ 11:48am

    Re: Re: With opt-outs?

    I can't agree with "suggest" - freedom of expression and all that.

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    Chosen Reject (profile), Feb 23rd, 2012 @ 11:51am

    Re: Someone play the role of 'company' for me for a moment, pls

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Feb 23rd, 2012 @ 11:56am

    Re: Re:

    The probably is the uncanny valley deal is one of the manifestations of too much data collection, too much detail on customers.

    "chipping away at the 4th amendment" is nothing compared to a big company (like say Google) knowing way too much about me, my likes, my dislikes, the things I search for, the sites I visit, and so on. I don't like that they can relate my online activity to my smart phone (I have checked my gmail online... and with the phone, providing linking data) which allows them now to link all of my online searches, all of my email, and all of my travels (because who knows how much info is really being harvested by your smart phone).

    Google likely knows too much. It's not "uncanny", it's creepy and dangerous. I for one applaud the Whitehouse for realizing there are serious issues going forward that need to be addressed. Personal privacy should not be sacrificed so that a few advertisers can give you better targeted ads.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Feb 23rd, 2012 @ 11:57am

    Re: Confusion ....

    HR 1981 only requires the ISP to keep track of your log on and log offs, and your IP while connected. There is no increase in personal data collection. Sorry, care to trying your tin foil hat act again?

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Feb 23rd, 2012 @ 12:58pm

    NO more

    Regulations? Do we need more laws? The privacy bill of rights could in fact create some problems as well. Medical privacy laws force tons of paperwork for even the most minor appointments. If I could merge all my ppo/hmo info into a database to keep a history, I wouldn't have to re-invent the wheel every time I change doctors.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Feb 23rd, 2012 @ 1:17pm

    prevent the world and his wife from collecting personal data, then collect it all themselves. what a nice touch from the White House.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    The Logician (profile), Feb 23rd, 2012 @ 1:42pm

    Re: Re: Confusion ....

    And what of those with broadband, AC 14, who are always on and can never log off? Such data collection, in their case, will never end because there is no log off.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    Suzanne Lainson (profile), Feb 23rd, 2012 @ 2:02pm

    It gets the discussion going

    Tech companies have been blowing off consumer concerns and are now starting to feel some pressure from the media and consumers. However, for fear of falling behind in the data collection game, many of these companies will do whatever their competition is doing. Since there hasn't been good industry self-policing, now comes a nudge from the White House. It also becomes a way for the companies to come together and have the same rules which they can then take back to investors.

    The Internet has become a public utility and the companies that use it are now going to be held accountable by the public. You can have the directives come from Washington, or you can have the directives come from a citizen uprising. Either way, the people want to set the rules, and not leave it to the corporations, which are proving to be just as guilty of power grabs as all the other big entities over the decades.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Feb 23rd, 2012 @ 2:38pm

    Why, sure it'll work...every bit as well as the bill of rights in our CONstitution works. For example, just look at how well the First, Second, Fourth, and Tenth Amendments have been working out for us lately.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Feb 23rd, 2012 @ 2:44pm

    Re: Re: Re: Confusion ....

    A computer does have an on/off button, a power cord, and can be physically disconnected from the net.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Feb 23rd, 2012 @ 2:49pm

    Re:

    The federal government doesn't keep trying to chip away at the 4th Amendment. The federal government has, for all intents and purposes, basically rendered the 4th Amendment null & void and has pretty much killed it.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    NZgeek (profile), Feb 23rd, 2012 @ 4:17pm

    Re: Wishful Thinking

    I hate to be the grammar police, but it's "a lot", not "alot".

    Perhaps this will help: http://hyperboleandahalf.blogspot.com/2010/04/alot-is-better-than-you-at-everything.html

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    Khaim (profile), Feb 23rd, 2012 @ 6:03pm

    Re: Re: Re:

    The difference is that Google isn't going to kick down your door and haul you away for indefinite detention.

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    Khaim (profile), Feb 23rd, 2012 @ 6:24pm

    Re: Re: Confusion ....

    "Personal data" doesn't just mean my name and health stats. It also means things like where I am and what I'm doing, if I'm in a private place. So what gives the government (via my ISP) the right to record all my internet activity?

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Feb 24th, 2012 @ 7:14am

    Re: Re: Re: Re:

    No, they are just going to sell your data to the guys who will kick down your door and hail you away from indefinate detention.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Feb 24th, 2012 @ 4:26pm

    Re: Re: Wishful Thinking

    Aight.

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    Khaim (profile), Feb 24th, 2012 @ 5:00pm

    Google selling data

    You think the government pays for data? Yeah right.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Richard, Feb 24th, 2012 @ 10:28pm

    An issue that may arise with privacy regulations is when a sensible bill gets watered down and/or tweaked by lobbying efforts, potentially becoming a regulation that is less than meaningful and/or an inconvenience to the public. This was touched upon in the Spyware Weekly Newsletter (December 21, 2004) from SpywareInfo. In addition, a federal law can be intended by industry interests to override a state law that is stronger with regard to privacy protection. The newsletter issue also talks about privacy regulations and absurd effects and unintended consequences.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This