Privacy advocates don't like it, and tech companies don't either

The good news: late last Friday, the White House released a proposed draft of something it calls a “Consumer Privacy Bill of Rights,” which theoretically would give Americans some protection or control regarding the data which various companies and businesses collect about them.

The bad news:That proposed “Consumer Privacy Bill of Rights” is so bad that not even President Obama's fellow Democrats have anything nice to say about it. Tech companies say the bill would stifle innovation and impose too many burdens, privacy advocates say it would do little or nothing to actually protect individual consumers' privacy, and Senator Ed Markey (D-Mass.) said the proposal would turn all online commercial interactions into “easy prey for digital bandits seeking to pilfer Americans' personal information.”

(A cynic might suggest that the White House itself doesn't have much faith in the proposal, else it wouldn't have released it late on a Friday afternoon, after most of The American Media had gone home for the weekend.)

Impenetrable prose

The full draft is available here as a .pdf document; 24 pages of scintillating bureaucratic prose including this exciting sentence/paragraph, cut-and-pasted directly from page 6:

(m) “Adverse action” has the same meaning as in section 701(d) of the Fair Credit Opportunity Act of 1974 (15 U.S.C. § 1691(d)(6)) and section 603(k)(1)(B)(i)-(iii) of the Fair Credit Reporting Act (15 U.S.C. § 1681a(k)(1)(B)(i)-(iii)).

One of the more understandable parts of the proposal promises to “establish baseline protections for individual privacy in the commercial arena and to foster timely, flexible implementations of these protections through enforceable codes of conduct developed by diverse stakeholders.”

Note the word “commercial” (as opposed to such words as “public” or “governmental”): even in a best-case scenario, this proposal would only offer protection from companies seeking to make money off your personal information. It says nothing about protecting your privacy from the government or any branches thereof — nothing to stop the NSA's warrantless wiretapping, for example.

Yet according to critics, the proposal doesn't do much to protect consumers from commercial interests, either. The Consumer Federation of America said in a statement that the proposed “Bill of Rights” would actually be worse for consumer privacy than the current status quo:

Instead of putting consumers in control, it would allow businesses and organizations to decide what personal information they will collect, how they will use it, and what control, if any, they will give to consumers. … The bill would preempt stronger state privacy laws and make it harder for state authorities and the Federal Trade Commission to stop privacy abuses. It would also bar consumers from bringing their own lawsuits to protect their privacy. The bill would do little to change current practices and would actually weaken consumer privacy in the United States rather than strengthen it.

Another consumer-rights group, Consumer Watchdog, observed that “The bill envisions a process where industry will dominate in developing codes of conduct. The bill is full of loopholes and gives consumers no meaningful control of their data.”

The Associated Press noted that the bill would effectively allow industries to set their own privacy standards, and would also shield start-ups from punishment during their first 18 months of operation.

More vague than specific

What does the proposed bill actually have to say? It's more vague than specific. For example: the phrase “reasonable in light of context” appears multiple times throughout the document, first on page 6 under the subheading “Transparency”:

(a) In General.—Each covered entity shall provide individuals in concise and easily understandable language, accurate, clear, timely, and conspicuous notice about the covered entity’s privacy and security practices. Such notice shall be reasonable in light of context.

Then on page 8, under the subheading “Respect for Context”:

(a) In General.—If a covered entity processes personal data in a manner that is reasonable in light of context, this section does not apply. Personal data processing that fulfills an individual’s request shall be presumed to be reasonable in light of context.

(b) Privacy Risk Management.—If a covered entity processes personal data in a manner that is not reasonable in light of context, the covered entity shall conduct a privacy risk analysis including, but not limited to, reviews of data sources, systems, information flows, partnering entities, and data and analysis uses ….

The phrase appears three more times on page 9 before popping up again on page 10:

(a) In General.—Each covered entity may only collect, retain, and use personal data in a manner that is reasonable in light of context. A covered entity shall consider ways to minimize privacy risk when determining its personal data collection, retention and use practices.

And what does “reasonable [or not reasonable] in the light of context” actually mean? Good question. Apparently, that would be up to the tech companies to decide, which could definitely be harmful to consumers, yet might eventually prove harmful to tech companies as well; the vaguer the rules are, the easier it would be to unintentionally violate them.

CEO Michael Beckerman of the Internet Association, representing Google, Facebook, Amazon, Yahoo, and other companies, warned that the bill “casts a needlessly imprecise net…. It is essential that any privacy rules are finely tailored to address specific harms, so that innovation, which benefits consumers and the economy, can continue to flourish.”