Recently, the Government Accountability Office (“GAO”) issued a report in reply to Senator Rockefeller’s (D-WV) request for information regarding the current status of consumer privacy regulations, and the changes needed to improve the legal framework. In the report, the GAO concluded that the introduction of new and more advanced technologies (e.g., social media and other mobile applications) has vastly increased the amount of personal information collected from consumers, and the number of parties using or sharing this information. Furthermore, the GAO concluded that the current privacy law regime warrants reconsideration in relation to a number of issues including: (1) consumers’ ability to control their personal information used for marketing purposes; (2) the types of personal information collected from consumers, as well as the sources and methods for collecting it; and (3) privacy controls related to relatively new technologies (e.g., web tracking and mobile devices).
The GAO found three major issues with the current statutory framework for online privacy protection: (1) the current framework does not fully address the extent to which consumers are sharing their personal information through social media networks; (2) that consumers have little control over how their personal information is collected, used, and shared with third parties for marketing purposes; and (3) that the current privacy regime is not aligned with the Fair Information Practice Principles (FIPPs) – a set of internationally accepted principles for protecting the privacy and security of personal information.
The GAO’s report also discussed the potential advantages and disadvantages of implementing a comprehensive, federal-based privacy law regime, as opposed to the current, state-based, sector-specific method of regulation. First, a comprehensive regime could fill any gaps left by a sector-specific regulatory model – including those businesses and forms of data collection and sharing that do not fit neatly into the existing framework. Second, a comprehensive framework would offer uniform privacy protections to consumers on a more reliable and consistent basis. This is because a federal legal framework could preempt any state law that deemed to be inconsistent with the national regime; thus eliminating the existence of a complex web of conflicting and confusing regulations on both the state and federal levels. Finally, a comprehensive privacy regime benefits business by reducing compliance costs, providing legal certainty, and building trust between consumers and businesses that collect and share personal information.
However, the GAO found that a one-size-fits all regulatory approach could be unduly burdensome for businesses because no single law could be crafted to fit the practices of each individual company or industry in an adequate fashion. The report also stated that many industry stakeholders believe the current sector-specific approach is well suited for addressing any gaps existing in the current framework. This can be accomplished through targeted rulemaking or legislation that addresses new technologies and marketing practices, including social media. Furthermore, refinement of the sector-specific approach is preferable because it may be more beneficial to focus on strengthening, extending, and updating existing legislation such as the Fair Credit Reporting Act (“FCRA”), and the Health Insurance Portability and Accountability Act (“HIPAA”) as both consumers and businesses are familiar with these existing laws.
The FIPPs, developed by the Federal Trade Commission, are a set of five principles rooted in the Privacy Act of 1974. They are summarized as follows:
1) Notice/Awareness: Consumers should be given notice of an entity’s information practices before any personal information is collected from them.
2) Choice/Consent: Consumers should be given options as to how many personal information collected from them should be used; specifically, those uses beyond those necessary to complete the contemplated transaction initiated by the consumer in providing his or her personal information.
3) Access/Participation: Consumers should be given the opportunity to access data about him or herself to contest and, if need be, correct that data’s accuracy and completeness in a timely and inexpensive manner.
4) Integrity/Security: Data collectors must take reasonable steps to ensure that data collected is both accurate and secure (e.g., using only reputable sources of data, cross-referencing data against multiple sources, providing consumer access to data, and destroying untimely data or converting it to anonymous form).
5) Enforcement/Redress: To be effective, self-regulatory regimes should include both mechanisms to ensure compliance (enforcement) and appropriate means of recourse by injured parties (redress). In addition to statutory schemes providing rights of action, and government enforcement mechanisms, companies should adopt self-regulation methods that at a minimum provide means for investigating, assessing, and remedying data security breaches.
Adopting these principles now will help clients and companies mitigate the costs associated with adjusting to its new privacy laws in the future by bridging the gap between the current and future legal frameworks.
Our firm will be continuing to monitor the debate over changes to the current privacy legal framework, and other developments in privacy law that can substantially impact clients and businesses. For more information about the firm’s privacy practice, please visit our website or contact Linda McReynolds, Certified Information Privacy Professional (CIPP/US), at firstname.lastname@example.org.