The White House released its "Consumer Privacy Bill of Rights in a Networked World" Thursday, outlining key rights and safeguards Americans should expect when they do business online.

The proposal is notable in that it marks the first time the Obama Administration has articulated clear-cut support for consumer privacy protections. While the proposal is voluntary for now, the administration is calling on Congress to draft laws based on the protections outlined in the Consumer Privacy Bill of Rights while simultaneously calling on companies to voluntarily comply.

If Congress chooses to honor the president's request, it would expand Federal Trade Commission authority over Web companies by writing laws to cover firms and practices not covered by existing federal law. While the report does not mention any companies by name, some points seem clearly aimed at tech-sector heavyweights.

"There have been similar privacy initiatives and legislation introduced in the past few years and each has failed to be enacted into law, including a bill that was introduced by Senators Kerry and McCain," said White & Case Partner Daren Orzechowski, who focuses on information technology legal matters, including privacy. "While discussing such rights at this time may be of interest for political reasons, it will be interesting to see if meaningful legislation is actually passed."

In a cover letter to the report, President Barack Obama likened the Consumer Privacy Bill of Rights to a set of guidelines that consumers could reasonably expect and companies should agree to work under.

"Privacy protections are critical to maintaining consumer trust in networked technologies. When consumers provide information about themselves - whether it is in the context of an online social network that is open to public view or a transaction involving sensitive personal data - they reasonably expect companies to use this information in ways that are consistent with the surrounding context," Obama wrote. "Many companies live up to these expectations, but some do not."

Laws based on the Consumer Bill of Rights would give the Federal Trade Commission greater oversight of online privacy. That could put companies ranging from a start-up using boilerplate privacy policies to behemoths like Facebook under a regulatory spotlight. Among the key points, as outlined in the report's executive summary:

  1. Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
  2. Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.
  3. Respect for Context: Consumers have a right to expect that companies will collect, use and disclose personal data in ways that are consistent with the context in which consumers provide the data.
  4. Security: Consumers have a right to secure and responsible handling of personal data.
  5. Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
  6. Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
  7. Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

It's unlikely that Congress would move to pass such sweeping legislation in an election year, particularly federal legislation that increases government oversight of the private sector. But it does put the Obama administration on-the-record in supporting consumers.

Orzechowski noted that "under current US law, the actual financial exposure for a company that has a privacy related legal violation is, for the most part, not significant. The concerns are more related to public relations and image rather than legal exposure."

Beyond that, the report sets up a voluntarily framework and seeks input from companies as the White House looks for ways to protect consumer data and personal information.

Other key points in the report:

  • The proposal does not allow people to easily escape all Internet tracking. While it does require companies to allow people to opt-in, it won't cover sites you already have relationships with. In other words, if you already have a Facebook account, it's up to you to go in and check your privacy settings.
  • Companies that volunteer to comply with the guidelines will effectively subject themselves to FTC review. That seems to help the administration circumvent the difficulty of passing such a far-reaching bill.
  • The proposals were created in a way to avoid some of the problems the European Union is having with its privacy directive. "They have this very high-level, broad law that says, 'protect people's privacy.' And what does that mean in practice? No one is exactly sure. And that's the difficulty that you always face when you try to translate high-level laws into rules," Justin Brookman, the director for the non-profit civil liberties group Center for Democracy and Technology's Project on Consumer Privacy, told InformationWeek.

"When passing privacy regulation, there has to be a balance that allows for technology growth, while addressing social concerns," Orzechowski said. "Remember an entire industry, particularly online advertising, developed in an environment created by the government's election not to aggressively legislate. It would be unfair to completely change the rules and pull the rug out from under such businesses. Individual privacy is very important, but regulation should not cripple the advancements of technology and so a balance is necessary."