Feds aim to form Privacy Policy Office to guard consumer rights

The U.S. government proposed creating a Privacy Policy Office and adopting a framework that would equate to a bill of rights for consumers.

The U.S. government proposed creating a Privacy Policy Office and adopting a framework that would equate to a bill of rights for consumers.

In a report, the U.S. Commerce Department said that this Privacy Policy Office would do the following:

Using existing resources, the Commerce Department should establish a Privacy Policy Office (PPO) to serve as a center of commercial data privacy policy expertise. The proposed PPO would have the authority to convene multi-stakeholder discussions of commercial data privacy implementation models, best practices, codes of conduct, and other areas that would benefit from bringing stakeholders together; and it would work in concert with the Executive Office of the President as the Administration’s lead on international outreach for commercial data privacy policy. The PPO would be a peer of other Administration offices and components that have data privacy responsibilities; but, because the PPO would focus solely on commercial data privacy, its functions would not overlap with existing Administration offices. Nor would the PPO have any enforcement authority.

Note the Commerce Department didn't call for legislation or any Do Not Track rules.

The Commerce Department also recommended that companies adopt commercial data privacy framework so there's a baseline expectation for consumer trust and fill gaps in existing policies.

This framework would be modeled after Department of Homeland Security rules that govern the use of personally identifiable information. The key points include:

  • Companies need to be transparent about data use.
  • Organizations should seek individual consent to collect, use, disseminate and maintain their information.
  • Companies should spell out how data will be used.
  • Data minimization should be deployed.
  • Companies should use personal data only for the use disclosed.
  • Personal data should be secure, accurate and audited.

Of those aforementioned points, the transparency item stuck out. The Commerce Department called for the end of privacy statements that are too complicated to understand. The Feds said:

Numerous comments and legal scholars have called attention to the lack of transparency under current commercial data privacy policy. There is reason to believe that lengthy and complex disclosure or notice policies may fail to inform; simplicity and clarity are generally preferable and may well be necessary to ensure transparency. Many commenters posed critical questions about the notice-and-choice model, at least when the relevant notice is not transparent. Under the current notice-and-choice model, consumers’ privacy rights depend on their ability to understand and act on each individual company’s privacy policy. These documents “are generally written in legalese that is unintelligible to the average consumer.” As a result of the number and complexity of such notices, this situation is “typically overwhelming to the average consumer.” The result, according to these commenters, is a lack of transparency into actual privacy practices and a diminished ability of consumers to make informed choices.

Here's how this framework and the PPO would work together:

The Commerce Department said that it's time for a more comprehensive privacy plan.

Privacy protections are crucial to maintaining the consumer trust that nurtures the Internet’s growth. Our laws and policies, backed by strong enforcement, provide effective commercial data privacy protections. The companies that run the digital economy have also shown a willingness to develop and abide by their own best practices. As we entrust more personal information to third parties, however, we can strengthen both parts of this framework.