Guest Blog on Privacy Safe Harbors

The following is a guest post to the FPF Blog from Ira Rubinstein, a Senior Fellow at the Information Law Institute and Adjunct Professor at New York University School of Law

In early May, Reps. Rick Boucher (D-VA) and Cliff Stearns (R-FL) released a discussion draft of comprehensive privacy legislation. The draft bill would require companies that collect and use personal data to disclose their privacy practices and obtain consent for various uses of such data, including express consent for the collection or use of sensitive information. The bill also regulates online ads and specifically addresses targeted ads based on a user’s Web browsing history. Section 3(e) requires opt-in consent for third-party information sharing (e.g., with advertising networks) but offers a very narrow “safe harbor” exception for firms that follow certain defined practices (such as allowing a person to manage their preference profiles and to opt-out of receiving targeted ads).

Safe harbors are a very powerful regulatory instrument. In what follows, I offer some fairly radical ideas for greatly expanding the use of safe harbors in privacy law by adopting a regulatory approach sometimes referred to as “co-regulation.” I have written about these ideas at greater length in a law review article, Privacy and Regulatory Innovation: Moving Beyond Voluntary Codes, I/S: A Journal of Law and Policy for the Information Society (forthcoming Winter 2011) available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1510275. All page references below are to the draft version currently posted on SSRN.

Background: The COPPA Safe Harbor

A safe harbor is a regulatory strategy under which a federal statute explicitly recognizes differences in industry performance by treating safe harbor participants more favorably than non-participants. In other words, safe harbors shield or reward regulated firms if they engage in desirable behavior as defined by statute. Favorable treatment for better performing firms might include immunity from liability, protection from certain penalties, exemptions from certain requirements, and/or permission to engage in certain desired behaviors. The key point to emphasize here (and which will be repeated several times to avoid any misunderstanding) is that eligibility for the benefits conferred by a safe harbor should be limited to firms meeting a high standard of performance that exceeds what is otherwise required of firms covered by the relevant statute.

In the privacy space, the best example of a safe harbor is found in the Children’s Online Privacy Protection Act (COPPA), which establishes an alternative means of compliance for operators that follow self-regulatory guidelines issued by an industry representative and approved by the Federal Trade Commission (FTC) under a notice and comment procedure. The COPPA safe harbor seeks to facilitate industry self-regulation by granting enforcement-related benefits (operators that comply with approved self-regulatory guidelines are deemed to be in compliance with the law) and by allowing greater flexibility in the development of self-regulatory guidelines in a manner that takes into account industry-specific concerns and technological developments. FTC approval of a COPPA safe harbor program turns on whether self-regulatory guidelines meet or exceed statutory requirements; include an effective, mandatory mechanism for the independent assessment of compliance with the guidelines (such as random or periodic review of privacy practices conducted by a seal program or third-party); and contain effective incentives to ensure compliance with the guidelines (such as mandatory public reporting of disciplinary actions, consumer redress, voluntary payments to the government, or referral of violators to the FTC).

The COPPA safe harbor programs have met with some success in terms of their enforcement programs but suffer from two main shortcomings: first, a very low rate of industry participation (presumably because deemed compliance is not a strong enough incentive to persuade many firms to bear the costs of joining a safe harbor program and abiding by its guidelines when they have to comply with all but identical statutory requirements in any case); and a lack of regulatory flexibility (all of the approved self-regulatory programs have nearly identical requirements to those of the COPPA statute). (For a brief case study of COPPA safe harbors, see my article, pp. 20-23.)

A New Approach to Privacy Safe Harbors

Roughly ten years ago, when Congress last considered online privacy legislation, several bills included provisions for a comprehensive self-regulatory safe harbor modeled on COPPA-for example, Rep. Markey’s Electronic Privacy Bill of Rights Act of 1999 (H.R.3321, 106th Cong. § 4 (1999)); Sens. Burns and Wyden’s Online Privacy Protection Act of 1999 (S. 809, 106th Cong. § 3 (1999)); Rep. Stearns’ Consumer Privacy Protection Act of 2002 (H.R. 4678, 107th Cong. §106 (2002)); and, Sen. Hollings’ Online Personal Privacy Act (S. 2201, 107th Cong. § 203 (2002)).

In contrast, Section 3(e) of the draft privacy bill provides a very limited safe harbor in the form of permission for firms to collect, use and disclose covered information for “individual managed preference profiles.” The requirements for such preference profiles” are as follows: (1) users must be provided with a readily accessible opt-out mechanism whereby the opt-out choice of the individual is preserved and protected from incidental or accidental deletion; (2) firm must delete or render anonymous any covered information not later than 18 months after the date the covered information is first collected; (3) firms must place a symbol or seal in a prominent location on both its website and on or near any ads it delivers based on a user’s preference profile that enables an individual to connect to additional information regarding advertising practices and allows individuals to review and modify, or completely opt out of having, a preference profile created and maintained by the firm or a an ad network; and (4) any ad network to which a firm discloses covered information must avoid further disclosure to any other entity except with the user’s express affirmative consent.

But Section 3(e) falls far short of a full-fledged safe harbor. Under a “co-regulatory” approach to privacy legislation as described in my article, industry would enjoy considerable scope in shaping self-regulatory guidelines, while government would set default requirements and retain general oversight authority to approve and enforce industry guidelines. This approach envisions a more collaborative, flexible and performance-based model of self-regulation and explicitly draws on critical insights from environmental regulation. The next few paragraphs briefly consider what this new approach to privacy safe harbors might look like and why it might attract industry support at much higher rates than that of the COPPA safe harbor programs.

As noted above, firms that joined a COPPA safe harbor program were subject to self-regulatory guidelines that were nearly identical to statutory requirements. Their incentives for joining were limited to deemed compliance and a largely empty promise of regulatory flexibility. In other words, COPPA failed in its efforts to treat safe harbor participants more favorably than other covered entities. A co-regulatory approach might proceed in a different manner, using both sticks and carrots as incentives. In the environmental setting, for example, sticks typically include a threat of stricter regulations or imposition of higher pollution fees, whereas carrots might take the form of more flexible regulations, recognition of better performance by the government, and cost-savings such as exemptions from mandatory reporting or easier and quicker permitting. Firms that demonstrate high performance avoid these sticks and/or enjoy these carrots. How would this approach translate into the privacy arena?

Over the years, many advocacy groups and privacy scholars have favored a private right of action and liquidated damages as enforcement mechanisms in any new privacy legislation. Not surprisingly, industry has argued that such remedies are both unnecessary and ineffective. This suggests that an excellent stick might be devised around a tiered liability system. Under this approach, new privacy legislation would allow civil actions and liquidated damages awards against firms that engaged in prohibited practices and did not participate in an approved safe harbor program. In sharp contrast, compliance with approved self-regulatory guidelines would not only serve as a safe harbor in any enforcement action but exempt program participants from civil law suits and monetary penalties. Other sticks might include broader opt-in requirements; external and independent audits of regulatory compliance and mandatory reporting to the FTC; and much stricter requirements for firms engaged in online behavioral advertising such as a total ban on the use of sensitive information in behavioral targeting and a data retention limit of one month.

In addition to these sharp sticks, the legislation might also offer safe harbor participants a number of sweet carrots including exemptions from civil actions and liquidated damages; cost-savings such as compliance reviews of its members by approved privacy seal programs as opposed to external audits; government recognition of better performing firms (e.g., an FTC “seal of approval” under which firms that meet safe harbor requirements are duly recognized); government procurement preferences for the products or services of participating firms (including contracts for cloud computing services); and regulatory flexibility in the form of tailored requirements addressed to specific business models such as online behavioral advertising (e.g., relaxed notice and consent and/or data retention requirements for firms that engage in practices similar to those described in Section 3(e)).

In summarizing this new approach to privacy safe harbors, it is essential to (re)emphasize that safe harbor benefits would be limited to firms demonstrating superior performance and would not be available to other covered entities that merely satisfy the default statutory requirements. In other words, a safe harbor provides incentives, in the form of sticks and carrots, but only to firms that meet higher performance standards. Here are a few preliminary ideas for these higher standards.

One idea, borrowed from COPPA, is that firms must participate in an industry seal program that incorporates both an effective, mandatory compliance mechanism and a complaint-handling system. Another idea is that firms must adhere to company- or industry-wide privacy guidelines that build privacy protection into the development of all products or services utilizing personal data. This process-which is sometimes referred to as “Privacy by Design”-would, at a minimum, require firms to identify privacy issues in every product or service they develop, create a privacy statement that describes how personal data will be handled in response to identified privacy concerns, and design features that protect customer’s privacy by applying all relevant aspects of a robust privacy framework. (One example is the APEC Privacy Framework (Nov. 2004), which includes nine principles of Fair Information Practices: preventing harm, notice, collection limitations, purpose limitations, choice, data integrity, security, access and correction, and accountability.) A third idea alluded to above is that participating firms would follow industry-specific best practices (such as the type of requirements imposed on online advertising firms under Section 3(e) of the draft bill). It is important to note that this is a very partial list of relevant performance standards. I offer a far more comprehensive list of ideas in my article (see pp. 49-50).

In thinking about this new approach to privacy safe harbors, two additional caveats are necessary: First, unlike previous or existing self-regulatory schemes, it would not suffice for industry alone to develop the relevant privacy performance standards or best practices. Rather, such standards must emerge from a multi-stakeholder process in which both advocacy groups and members of the public have an opportunity to participate. This requires that interested parties engage in difficult and perhaps protracted negotiations, and stay at the table until a consensus is forged. (This may seem impracticable, but three leading Internet firms recently partnered with a diverse group of non-governmental actors in a voluntary effort to negotiate free speech and privacy principle. After eighteen months of work, this multi-stakeholder group reached agreement and launched the Global Network Initiative (GNI), jointly committing to a set of principles and implementation guidelines as well as an accountability system based on independent, third-party assessments. For the GNI’s three core commitment documents, see http://www.globalnetworkinitiative.org/index.php.) Second, the government must reserve the final decision on whether the performance standards or best practices achieve a high enough level of privacy protection to warrant the granting of any proposed safe harbor benefits.

The COPPA safe harbor relied on a notice and comment procedure to approve proposed self-regulatory guidelines, but it is worth considering an alternative option that meets both of the above caveats, namely, negotiated rulemaking. This is a statutorily defined process by which agencies formally negotiate rules with regulated industry and other stakeholders as an alternative to conventional, notice and comment rulemaking. (See the Negotiated Rulemaking Act of 1990, codified as amended at 5 U.S.C. §§ 561-570.) In theory, a regulated firm or industry will seek to use the flexibility afforded by negotiated rulemaking to reduce costs and other burdens by developing alternative or innovative means of compliance that would be precluded by a statute’s default requirements, thereby gaining flexibility as to the timing of compliance investments, and reducing regulatory uncertainty. The incentives for regulators and advocacy groups to support this approach include the prospects of a higher level of benefits than would have been obtained, as a practical matter, under the standard default requirements (I discuss this at greater length in my article, pp. 44-46).

Negotiated rulemaking is most likely to succeed when two additional conditions are present: First, the regulatory agency should understand the industry and the issues well enough to have formulated a broad view of what a good regulatory solution should look like but it should not be wedded to a particular substantive outcome. Second, the substance of the regulation should require the credible transmission of information between the regulated entities and other interest groups–i.e., industry should possess unique knowledge and expertise such that it is in the best position to understand how regulation will affect its activities. Hence, industry cooperation is needed to ensure a satisfactory regulatory outcome.

Arguably, the present case satisfies both of these conditions. On the one hand, the FTC is very knowledgeable regarding online privacy but is not yet locked-in to any one approach. On the other, Internet firms (including network advertising firms) undoubtedly possesses greater expertise and insight into the complex technology and evolving business models underlying the digital world than either privacy advocates or FTC staff. In the past, this information has been shared or elicited mostly through one-sided communications-unilateral industry codes of conduct; complaints filed with the FTC; or charges and countercharges at public forums. In a (successful) negotiated rulemaking process, however, the parties have an incentive to educate each other, pool knowledge, and cooperate in problem solving.

Congress now seems poised to regulate online (and perhaps offline) privacy although it remains to be seen how tough it makes these regulations. Absent a safe harbor, privacy regulations might not be tough enough to satisfy advocates; alternatively, if the regulations are tough but the statute offers a safe harbor, that will bring industry to the negotiating table. In this way, a comprehensive safe harbor under which self-regulatory guidelines are agreed to via negotiated rulemaking (or a similar consensus-based process) would seem to be in everyone’s interest and might produce an optimal outcome.

Firefox Soon to Dent Behavioral Advertising?New Plans for Third Party Cookies.

A  friend just flagged to us the following activity on the Mozilla message boards indicating the latest updates to the browser code that is the base for the Firefox browser will dramatically change the handling of third party cookies.  Comments by Dan Wittes, leader of the cookie module at Mozilla,  explain that the current default ‘accept third party cookies’ option would result in changed behavior to make 3rd party cookies persistent only for the session.  Unchecking the default would completely disable all third party cookies.

So if a user keeps their computer on and browser open, tracking across sites will continue, but if a user closes their browser, tracking cookies will be deleted. (Of course there are folks who track across sites but rely on various methods to ensure their cookies are relayed in fisrt party context – there may be some legitimate circumstances to do this, but we think that any company doing that in order to avoid browser controls is likely to come across the radar screen of the FTC before too long.)