Proposed Consumer Privacy Regulations Face Challenges
This week, the issue of online data privacy received more than its fair share of attention. And with good reason.
The Obama administration announced Thursday that it intended to place increased importance on online privacy with the proposed "Consumer Privacy Bill of Rights,” designed to give users a greater say in how their online information is handled, while establishing protections to prevent consumer data from being misused by businesses or advertisers.
The proposed Bill of Rights—a collaborative effort to be spearheaded by the Commerce Department and involving privacy advocates, businesses and other stakeholders—covers six major areas related to online data protection.
Transparency: Consumers have a right to easily understandable information about privacy and security practices.
Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
Security: Consumers have a right to secure and responsible handling of personal data.
Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
Meanwhile, with the increased scrutiny on consumer data privacy, numerous advertising networks, tech companies and Internet search engines are committing to implementing Do Not Track technology that would enable users to monitor online tracking or eliminate it altogether while they surf the Web. Google, Yahoo!, Microsoft, and AOL were among the biggest companies agreeing to implement Do Not Track, which would be enforceable by FTC regulations.
Yes, but will the impending policies and privacy regulations lead to a significantly safer Internet experience for the consumer? Well, perhaps.
Derek Manky, Fortinet senior security strategist, says the proposed regulations are a good start, and could give the average consumer more control over who can access their personal online data. But there are a few challenges that might prevent the proposed legislation from being an effective data security mechanism.
Updates: While often implemented with good intentions, government regulations regarding technology—especially with something as dynamic and mutable as security—often fall short due to bureaucratic lags in effecting change, and lack of timeliness and relevance. “The biggest challenge is updating. Information and technology are so dynamic, any legislative pieces typically tend to fall behind years and years,” Manky says.
Enforcement: Ideally the proposed Bill of Rights will be enforced by the FTC. But until adequate penalties for violations are clearly delineated and carried out, the likely hood is high that it will become another compliance regulation (e.g. PCI DSS).
User Behavior: Even with copious data protection policies in place, users tend to get complacent about sharing their information online (e.g. Facebook, Four Square, etc..) While the regulations will block advertisers and other organizations from accessing certain types of data without the users' knowledge or consent, it won't force users to care about where and how they reveal personal information online, or prevent them from sharing on Facebook that they went skiing after calling in sick to work.“It's a click happy world,” Manky says. “By making this front and center in public brings focus and attention to the matter -- which should start making people care. That should really be the goal over several years; making people care.”
The Prevalence of Cybercrime: While the proposed Consumer Privacy Bill of Rights will block some organizations from accessing certain information, it will do little to prevent data from being compromised in a widespread or targeted cyber attack. “It may make an impact to online privacy to the consumer - the individual who is searching the 'Interwebs' to find information on their ex or enemy,” Manky says. “However, when it comes to cybercrime, not a large impact at all. Sure, you can reduce data sharing rates -- but information will still be stored somewhere and can be targeted by criminals.”