The White House announced a Consumer Privacy Bill of Rights, the advertising industry promised to honor "Do Not Track," and California got tough on mobile privacy. Companies will have to show agility on their customer-facing policies.
At the federal level, the White House unveiled a proposed Consumer Privacy Bill of Rights on Wednesday. (CNET has a good summary.) The Commerce Department will begin meeting with industry representatives, privacy advocates, and others to develop enforceable policies based on the principles in the Bill of Rights, which include:
- Individual consumer control over what kind of data is collected
- Transparency regarding how data is used
- Respect by companies for the context in which data is provided
- Secure handling of data
- The ability for consumers to see and ensure the accuracy of data
- Reasonable limits on the amount of data companies try to collect and retain
- Accountability from companies that collect consumer data
The administration said it would work with Congress to get those principles encoded into law and harmonized with privacy regimes in other countries. (The US has been an outlier in not embracing article 12 of the Universal Declaration of Human Rights. The proposed Bill of Rights would bring this country closer to the EU's practice.)
Rounding out this week's big privacy news, the advertising industry has promised to honor browser-based Do Not Track requests from users, as the Wall Street Journal first reported. The Digital Advertising Association (DAA), which has been resisting Do Not Track for years, said it will work with the major browser makers to arrive at a (we hope) simplified and uniform way for users to declare that they prefer not to be tracked across the Web.
The privacy researcher Christopher Soghoian first championed the Do Not Track idea three years ago. He recounts the history in a post titled "Do Not Track: First they ignore you, then they ridicule you, then they fight you, then you win." DNT is a simple header sent by the browser with every Web (http) request. It has been implemented in Firefox, Internet Explorer, Opera, and Safari. Only Chrome has been a holdout, but during the flurry of announcements Wednesday, word came that Google would be implementing Do Not Track in Chrome.
Until these announcements, the problem was that few advertising companies (if any) paid attention when they saw a Do Not Track header. With the DAA's commitment to require members to honor Do Not Track, within a year more than 90 percent of advertisers should be on board.
What does "honoring Do Not Track" entail? A working group of the World Wide Web Consortium (W3C) has been meeting to define exactly that -- it's not a simple problem. The first report in the Wall Street Journal left some doubt as to whether the DAA would use the W3C's definition of Do Not Track or something else. Now it is clear that the W3C will be deeply involved with the advertising industry as the DAA's plan unfolds over the coming months. In fact, many DAA member companies have been meeting with the W3C working group since last fall to define and standardize Do Not Track. (There's a summary of their progress on the Opera site.)
So a year from now, it should be possible for an average user to click a DNT button in any browser to opt out of the vast majority of advertiser tracking and targeted advertising. But note that Facebook considers Do Not Track an interesting idea that doesn't apply to the company. It will be instructive to see whether Google decides something similar holds for its Google+ network, though its Doubleclick advertising network will be compliant.
This week's events are a clear indication that the winds blowing in the direction of consumer privacy have become a gale -- and this is before Congress gets down to serious work on legislation. Are these developments in alignment with your privacy policies?