Out-Law News 4 min. read

US Government outlines new data privacy principles

US organisations should give consumers means to control how their personal data is collected and used, the US Government has said.

The White House said the measure, which was announced as part of a new Consumer Privacy Bill of Rights (CPBoR), would help those companies build up "trust" in their relationship with consumers.

"Companies should provide consumers appropriate control over the personal data that consumers share with others and over how companies collect, use, or disclose personal data," the US Government said in a document (60-page / 668KB PDF) outlining the new data privacy principles.

"Companies should enable these choices by providing consumers with easily used and accessible mechanisms that reflect the scale, scope, and sensitivity of the personal data that they collect, use, or disclose, as well as the sensitivity of the uses they make of personal data. Companies should offer consumers clear and simple choices, presented at times and in ways that enable consumers to make meaningful decisions about personal data collection, use, and disclosure. Companies should offer consumers means to withdraw or limit consent that are as accessible and easily used as the methods for granting consent in the first place," it said.

The CPBoR sets out a basic framework of rules that companies should observe in order to respect consumer privacy. The US Government wants law-makers in Congress to draft new privacy legislation that sets out the framework in greater detail. It has also called on industry stakeholders to draw up new "legally enforceable" self-regulatory voluntary codes giving companies the chance to sign-up to industry-specific rules that comply with the CPBoR framework.

The CPBoR sets out a general right for consumers to have access to "easily understandable and accessible information about privacy and security practices" in order to be able to exercise control over their privacy. The information should "provide clear descriptions of what personal data they collect, why they need the data, how they will use it, when they will delete the data or de-identify it from consumers, and whether and for what purposes they may share personal data with third parties," the US Administration said.

Companies will be required to limit how they use and disclose personal data to the "context in which consumers provide the data" and should "provide heightened transparency and individual control" to consumers if the information is used or disclosed for other purposes, it said.

CPBoR also requires companies to be vigilant of security risks affecting consumers' data privacy and " maintain reasonable safeguards to control risks such as loss; unauthorized access, use, destruction, or modification; and improper disclosure".

Companies must also give consumers a general right to "access and correct" the information they hold about them "in usable formats" and should themselves take "reasonable measures to ensure" personal data stored is accurate.

The framework also places limits on how much personal data US companies will be allowed to collect.

"Consumers have a right to reasonable limits on the personal data that companies collect and retain.

Companies should collect only as much personal data as they need to accomplish purposes specified under the respect for context principle. Companies should securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise," the CPBoR states.

Firms should also be "accountable to enforcement authorities and consumers" in adhering to the CPBoR principles and should be required to train staff in how to handle personal data in line with those principles.

"Companies that disclose personal data to third parties should at a minimum ensure that the recipients are under enforceable contractual obligations to adhere to these principles, unless they are required by law to do otherwise," the CPBoR said.

The US Government said it would "convene and facilitate" meetings with stakeholders across multiple industries so as "legally enforceable" privacy codes of conduct could be developed in those sectors.

The codes would implement the CPBoR and be enforced by the US' leading consumer protection regulator - the Federal Trade Commission (FTC), it said.

"The Federal Government will work with stakeholders to establish operating procedures for an open, transparent process. Ultimately, however, the stakeholders themselves will control the process and its results. There is no Federal regulation at the end of the process, and codes will not bind any companies unless they choose to adopt them," the White House said in its privacy framework report.

"The incentive for stakeholders to participate in this process is twofold. Companies will build consumer trust by engaging directly with consumers and other stakeholders during the process. Adopting a code of conduct that stakeholders develop through this process would further build consumer trust. Second, in any enforcement action based on conduct covered by a code, the FTC will consider a company’s adherence to a code favourably," it said.

The US Government said it hopes the codes can become mutually recognised across other jurisdictions in order to simplify the number of different rules companies would have to comply with "to obtain multiple regulatory approvals to conduct even routine operations".

"The Administration believes flexible multistakeholder processes that address novel uses and transfers of data facilitate interoperable privacy regimes ... The Administration encourages stakeholders to work together to identify globally accepted accountability mechanisms when developing codes of conduct," it said.

The US Government called on Congress to draft new privacy legislation that details what companies must do to adhere to the CPBoR. The legislation should give the FTC and State Attorneys General the right to enforce CPBoR "directly," it said.

"The FTC should have explicit authority to review codes of conduct against the Consumer Privacy Bill of Rights, as they are set forth in legislation," the US Government said.

The FTC should also have "the authority to grant a 'safe harbor' – that is, forbearance from enforcement of the statutory Consumer Privacy Bill of Rights – to companies that follow a code of conduct that the FTC has reviewed and approved. Companies that decline to adopt a code of conduct, or choose not to seek FTC review of a code that they do adopt, would simply be subject to the general obligations of the legislatively adopted Consumer Privacy Bill of Rights," it said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.