«Pt. I»«Ch. 12 »«§ 12.04»

1 Bender on Privacy and Data Protection § 12.04 (2020)

§ 12.04.  Defining a Consumer Privacy Bill of Rights

«Pt. I»«Ch. 12 »«§ 12.04»•[1]»

1 Bender on Privacy and Data Protection § 12.04[1] (2020)

[1]  Fair Information Practice Principles (FIPPs).

Strengthening consumer privacy and promoting innovation require privacy that is comprehensive, actionable, and flexible. Despite major changes in the collection and processing of personal data, the FIPPs continue to provide a solid foundation for consumer privacy, even though processing is now much more decentralized and pervasive than when FIPPs were developed. The central challenge is to protect consumer privacy expectations while providing companies with the certainty they need to continue to innovate. The Bill carries the FIPPs forward in two ways: it affirms a set of consumer rights that inform consumers of what they should expect, while recognizing that consumers have certain responsibilities to protect their privacy; and it reflects the FIPPs in a way that emphasizes the importance of context. Personal data refers to any data, including aggregations, linkable to a specific individual, and may include data linked to a specific device. A summary of the seven FIPPs comprising the Bill follows.

«Pt. I»«Ch. 12 »«§ 12.04»«[2]»

1 Bender on Privacy and Data Protection § 12.04[2] (2020)

[2]  Individual Control.

Companies should offer clear and simple choices in a manner permitting consumers to make meaningful decisions, with means to limit or withdraw consent. This FIPP has two dimensions. First, at collection, choices must be presented regarding collection, use, sharing, and disclosure, appropriate to the scale,1 scope,2 and sensitivity of the personal data. Companies contracting with third parties that collect directly from consumers should ask how the third parties acquire and use that information. The uses to which the data will be put should help shape the range of appropriate individual control options. Privacy-enhancing technologies such as a Do-Not-Track mechanism permit consumers to exercise some control.3 The second dimension of this FIPP is consumer responsibility. Control over the initial act of sharing is critical, and consumers should take responsibility for those decisions. The privacy interest persists throughout the relationship, so that withdrawing consent must stand on equal footing with obtaining it.

«Pt. I»«Ch. 12 »«§ 12.04»«[3]»

1 Bender on Privacy and Data Protection § 12.04[3] (2020)

[3]  Transparency.

Consumers have a right to easily understandable and accessible information about privacy and security practices. These statements should be visible to consumers when most pertinent to understanding privacy. Uses not consistent with context require more prominent disclosure. Mobile consumers must be provided with the most relevant information in a way that takes into account the characteristics of their devices. Companies that do not interact directly with consumers (e.g., data brokers) must provide explicit explanations of how they acquire, use and disclose, for example, by posting on their websites.

«Pt. I»«Ch. 12 »«§ 12.04»«[4]»

1 Bender on Privacy and Data Protection § 12.04[4] (2020)

[4]  Respect for Context.

Companies must collect, use, and disclose in a way consistent with the context in which consumers provide the data. If a company will use or disclose outside that context, it must disclose those practices in a prominent and easily actionable way. This FIPP derives from two fair information principles: purpose specification, and use limitation. Companies may infer consent to use and disclose for objectives consumers specifically request, and may generally infer consent to use for marketing for first-party relationships, and for activities such as complying with legal obligations, preventing fraud, and analyzing how consumers use a service in order to improve it. The terms governing the relationship are one element of context.

Advertising supports innovative services and helps provide consumers with free access to a broad array of online services. This FIPP forecloses no ad-based business model. But companies must recognize that different models raise different privacy risks. Companies are encouraged not to collect data used to make employment, credit, or insurance eligibility decisions that may have significantly adverse consequences.

«Pt. I»«Ch. 12 »«§ 12.04»«[5]»

1 Bender on Privacy and Data Protection § 12.04[5] (2020)

[5]  Security.

Consumers have a right to secure and responsible handling of their personal data. Appropriate security precautions depend, inter alia, on lines of business, types of personal data maintained, and likelihood of harm to consumers. Companies should choose the technologies and procedures that best fit the scale and scope of the data they maintain.

«Pt. I»«Ch. 12 »«§ 12.04»«[6]»

1 Bender on Privacy and Data Protection § 12.04[6] (2020)

[6]  Access and Accuracy.

Consumers have a right to access and correct their personal data in usable formats in a manner appropriate to its sensitivity and the risk of adverse consequences to them if the data is inaccurate. Outside of sectors presently controlled by federal privacy laws, consumers lack this right. This FIPP must be interpreted with respect to First Amendment values, especially for non-commercial speakers and individuals exercising freedom of the press.

«Pt. I»«Ch. 12 »«§ 12.04»«[7]»

1 Bender on Privacy and Data Protection § 12.04[7] (2020)

[7]  Focused Collection.

Consumers have a right to reasonable limits on the personal data companies collect and retain. Companies should collect only data they need for the stated purposes, and should dispose of or de-identify it when no longer needed, absent a contrary legal obligation.

«Pt. I»«Ch. 12 »«§ 12.04»«[8]•

1 Bender on Privacy and Data Protection § 12.04[8] (2020)

[8]  Accountability.

Consumers have a right to have their personal data handled by companies with appropriate measures to assure adherence to the Bill, who are accountable to enforcement authorities and consumers for adhering to these principles. Companies should evaluate employee performance, and ensure that third party data recipients are under enforceable contracts. Appropriate evaluation techniques need not necessarily be a full audit, and will depend on size, complexity, nature of business, and sensitivity of data. Having a CPO is beneficial. Companies should link evaluations to the enforcement of pre-established internal expectations. Accountability must attach to data that is transferred, with emphasis on wither a disclosure leads to a use inconsistent with the context of collection.

Footnotes — § 12.04:

1  “Scale” refers to the number of individuals involved.

2  “Scope” refers to the range of activities and time period reflected.

3  Do-Not-Track mechanisms require development to ensure they are easy to use, strike a balance with innovative uses of data, account for public safety, and give consumers a clear picture of the costs and benefits of limiting personal data collection.