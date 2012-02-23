The White House will push Congress to put

legislative muscle behind an online privacy bill of rights, but in the meantime

will push industry to adopt those principles voluntarily. That would allow the

Federal Trade Commission to go after anyone who makes and breaks that pledge as

having engaged in an unfair and deceptive practice.

Separately,

the Digital Advertising Alliance, which includes the major advertising

associations, has committed to a browser-based do-not-track option that will

allow Web users to opt out of behavioral advertising and would be respected

across those participating in DAA's self-regulatory program,

which Stu Ingis, DAA General Counsel, said Wednesday is about 90% of

businesses.

The

browser-based option is still an opt-out, rather than opt-in mechanism, for Web

surfers. But those who opted out would be preventing "most" data that

would otherwise be collected, says Ingis, with narrow carve-outs for fraud

protection.

The

White House in statement said that "nearly" 90% of the companies

responsible for delivering online behavioral advertising had committed to using

the browser-based do-not-track technology including Google, Yahoo!, Microsoft,

and AOL. DAA says that it is targeting 9 months for

standard language and "user experience" for the opt-out mechanism

across all participating browsers.

Both

those announcements are coming officially Thursday at a white House privacy

briefing, according to administration officials, regulators and industry

representatives in a White House briefing with reporters in advance of that

event.

The

Federal Trade Commission has long pushed the browser-based approach. FTC

Chairman Jon Leibowitz praised the industry for the announcement, though he did

not suggest it was a solution to online privacy. "This is not the end, and

may not be the beginning of the end, but this is a big step," he said told

reporters.

Leibowitz

said that what he is seeing is "a lot for forward progress by industry." He

said that was a good thing for consumers and their privacy.

At

the event Thursday, the White House will officially endorse the Commerce

Department recommendation of a privacy Bill of Rights consisting of seven

principles (see below). That recommendation is the final work product of a

Commerce green paper on privacy issued in Dec. 2010.

The

goal is to both protect U.S. consumers and to make

it easier for Internet companies to do business internationally, where there

have been concerns about U.S. privacy policies.

"The Administration's plan lays the groundwork for increasing interoperability

between the U.S. data privacy framework

and those of our trading partners," the White House said late Wednesday.

White House Deputy Chief Technology Officer Daniel Weitzner

told reporters that the White House did not think self-regulation solved the

entire problem-given that not all businesses have to step and sign on. "For us,

the blueprint that is the consumer privacy bill of rights will give us a basis

for engaging with Congress and encouraging them to develop legislative

protections."

He said it was a complicated legislative challenge. Commerce

Secretary John Bryson said that they would work with Congress to implement

legislation, but would move forward regardless. "We cannot wait," he said.

Congress is unlikely to be able to pass comprehensive privacy legislation

before those legislators turn to reelection efforts.

Here

is the "Privacy Bill of Rights," as outlined by the White House and backed by

the President:

1.

INDIVIDUAL CONTROL: Consumers have a right to exercise control over what

personal data companies collect from them and how they use it. Companies

should provide consumers appropriate control over the personal data that

consumers share with others and over how companies collect, use, or disclose

personal data. Companies should enable these choices by providing

consumers with easily used and accessible mechanisms that reflect the scale,

scope, and sensitivity of the personal data that they collect, use, or

disclose, as well as the sensitivity of the uses they make of personal

data.

Companies

should offer consumers clear and simple choices, presented at times and in ways

that enable consumers to make meaningful decisions about personal data

collection, use, and disclosure. Companies should offer consumers means

to withdraw or limit consent that are as accessible and easily used as the

methods for granting consent in the first place.

2.

TRANSPARENCY: Consumers have a right to easily understandable and

accessible information about privacy and security practices. At times and

in places that are most useful to enabling consumers to gain a meaningful

understanding of privacy risks and the ability to exercise Individual Control,

companies should provide clear descriptions of what personal data they collect,

why they need the data, how they will use it, when they will delete the data or

de-identify it from consumers, and whether

and for what purposes they may share personal data with third parties.

3.

RESPECT FOR CONTEXT: Consumers have a right to expect that companies will

collect, use, and disclose personal data in ways that are consistent with the

context in which consumers provide the data. Companies should limit their

use and disclosure of personal data to those purposes that are consistent with

both the relationship that they have with consumers and the context in which

consumers originally disclosed the data, unless required by law to do

otherwise. If companies will use or disclose

personal data for other purposes, they should provide heightened Transparency

and Individual Control by disclosing these other purposes in a manner that is

prominent and easily actionable by consumers at the time of data

collection. If, subsequent to collection, companies decide to use or

disclose personal data for purposes that are inconsistent with the context in

which the data was disclosed, they must provide heightened measures of

Transparency and Individual Choice. Finally, the age and familiarity with

technology of consumers who engage with a company are important elements of

context. Companies should fulfill the obligations under this principle in

ways that are appropriate for the age and sophistication of consumers. In

particular, the principles in the Consumer Privacy Bill of Rights may require

greater protections for personal data obtained from children and teenagers than

for adults.

4.

SECURITY: Consumers have a right to secure and responsible handling of

personal data. Companies should assess the privacy and security risks

associated with their personal data practices and maintain reasonable

safeguards to control risks such as loss; unauthorized access, use,

destruction, or modification; and improper disclosure.

5.

ACCESS AND ACCURACY: Consumers have a right to

access and correct personal data in usable formats, in a manner that is

appropriate to the sensitivity of the data and the risk of adverse consequences

to consumers if the data is inaccurate. Companies should use reasonable

measures to ensure they maintain accurate personal data. Companies also

should provide consumers with reasonable access to personal data that they

collect or maintain about them, as well as the appropriate means and

opportunity to correct inaccurate data or request its deletion or use

limitation. Companies that handle personal data should construe this

principle in a manner consistent with freedom of expression and freedom of the

press. In determining what measures they may use to maintain accuracy and

to provide access, correction, deletion, or suppression capabilities to

consumers, companies may also consider the scale, scope, and sensitivity of the

personal data that they collect or maintain and the likelihood that its use may

expose consumers to financial, physical, or other material harm.

6.

FOCUSED COLLECTION: Consumers have a right to reasonable limits on the

personal data that companies collect and retain. Companies should collect

only as much personal data as they need to accomplish purposes specified under

the Respect for Context principle. Companies should securely dispose of

or de-identify personal data once they no longer need it, unless they are under

a legal obligation to do otherwise.

7.

ACCOUNTABILITY: Consumers have a right to have personal data handled by

companies with appropriate measures in place to assure they adhere to the

Consumer Privacy Bill of Rights. Companies should be accountable to

enforcement authorities and consumers for adhering to these principles.

Companies also should hold employees responsible for adhering to these

principles. To achieve this end, companies should train their employees

as appropriate to handle personal data consistently with these principles and

regularly evaluate their performance in this regard. Where appropriate,

companies should conduct full audits. Companies that disclose personal

data to third parties should at a minimum ensure that the recipients are under

enforceable contractual obligations to adhere to these principles, unless they

are required by law to do otherwise.