Commerce Department Will Push Privacy Codes of Conduct

U.S. privacy codes of conduct drafted by businesses, consumers and privacy advocates working together will work better than government regulation or legislation, a top official with the U.S. Department of Commerce said Thursday.

The agency intends to convene groups to work on new privacy codes, with the intention of creating “flexible and enforceable” agreements, said Cameron Kerry, general counsel there. While new privacy codes are needed to make Web users “feel safe,” they don’t need to come in the form of regulations, he said.

“We need a process that is nimble enough to respond quickly to consumer data privacy issues as they emerge and can address them without the need for legislation or regulation,” Kerry said during a speech at the Brookings Institution. “Legislation and regulation simply do not move at Internet speed.”

Kerry’s brother, Democratic Senator John Kerry of Massachusetts, co-authored a privacy bill introduced in April that would require Web-based businesses that collect consumer information to give clear notice about the data collection and allow consumers to opt out.

But Cameron Kerry said Thursday the Department of Commerce won’t wait for Congress to act. The agency will push forward with a “multistakeholder” process to create privacy codes of conduct. The new codes need to have stronger teeth than current self-regulatory efforts from e-commerce groups, and the agency efforts can provide a “nudge from the government,” he said.

Kerry’s speech echoed the themes of a Department of Commerce privacy paper released in December. It called for a new privacy bill of rights and voluntary but enforceable codes of conduct.

Kerry didn’t give a timetable for the Commerce-led privacy discussions. Other groups can create privacy codes as well, and submit them to the U.S. Federal Trade Commission for approval and enforcement, he said.

Creating the privacy codes of conduct may be difficult, he said, but they would be more flexible than regulations. “These won’t be easy conversations, and there won’t be easy consensus,” he said.

The FTC will have the authority to enforce the privacy codes, Kerry said. That agency will review the codes to make sure they protect consumers, he said.

Clear standards developed through the Department of Commerce process will give protections to consumers and will give businesses certainty about how to treat consumer information, said FTC Chairman Jon Leibowitz, also speaking at the Brookings event.

Although Kerry called codes of conduct voluntary, Leibowitz said the FTC has the tools to enforce them. Asked how the FTC could enforce voluntary codes, Leibowitz said his agency could bring unfair business practice complaints against businesses that ignore the codes.

One consumer advocate applauded the Commerce plan, but disputed Kerry’s assertion that the privacy codes were not regulations. Privacy rules enforced by the FTC “are not self-regulation,” said Mark Cooper, research director at the Consumer Federation of America. “They are, in fact, regulation.”

The Department of Commerce has avoided describing the codes as regulation in order to make the process attractive to business groups, Cooper said. But consumers should know that the rules will be enforceable, he added.

Traditional top-down regulation won’t work with privacy issues, and the participatory process pushed by the Department of Commerce makes sense, Cooper said. Internet privacy issues are “too dynamic, too rapidly moving,” he said. “The consumer demand is too diverse to have a very rigid set of command-and-control rules, so you need this flexible process.”

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant’s e-mail address is grant_gross@idg.com.