Public Policy

Principles for Multi-Stakeholder Process (NTIA)

On Feb. 23, 2012, nine signatory organizations published a MultiStakeholder Principles designed to guide the NTIA MultiStakeholder Process, a self-regulatory process to develop voluntary codes of conduct with industry and civil society. The document states: "The US Department of Commerce is proposing a multi-stakeholder process for developing better applications of privacy principles. For the multi-stakeholder process to succeed, it must be representative of all stakeholders and must operate under procedures that are fair, transparent, and credible. We believe the following baseline principles will provide the multi-stakeholder process the legitimacy it needs to succeed."

Leading Civil Society Groups Agree on Key Principles: the Commerce Privacy Process Must be Fair, Transparent, Credible

MultiStakeholder Privacy Principles -- The World Privacy Forum has led an effort to craft a set of principles with the nation’s leading civil liberties, privacy, and consumer groups. Today, the groups are releasing a set of baseline Multi-Stakeholder Principles in response to the U.S. Department of Commerce’s plan for a multi-stakeholder process on privacy. (The U.S. Department of Commerce is undertaking a representative process for bringing together members of industry and civil society to form new privacy rules.) These leading groups believe that for the multi-stakeholder process to succeed, it must be representative of all stakeholders and must operate under procedures that are fair, transparent, and credible.

Public Comments: February 2012 - WPF asks that the full Consumer Privacy Bill of Rights be applied to MS Process (Principles for Multi-Stakeholder Process)

WPF filed two sets of comments with the US Department of Commerce regarding the MultiStakeholder Process and the privacy topics to be taken up. The first set of comments were WPF’s formal filing of the joint Civil Society MultiStakeholder Principles on behalf of WPF and the American Civil Liberties Union, Center for Digital Democracy, Consumer Action, Consumer Federation of America, Consumers’ Union, Consumer Watchdog, Electronic Frontier Foundation, National Consumers’ League, Privacy Rights Clearinghouse, and US PIRG. The second set of comments were WPF’s own comments to the Department. WPF urged the Department to employ a fair process, choose focused topics, and to apply the full range of the Consumer Privacy Bill of Rights to each topic.

WPF opposes censorship bills; supports right to create and use anonymization tools to protect privacy

Stop SOPA & PIPA ---- The World Privacy Forum is deeply concerned about the profound, far-reaching privacy consequences of two bills, SOPA and PIPA. The bills have many negative aspects. In terms of the privacy impacts, one of the serious consequences is that the right to create and use anonymization ...

Public Comments: October 2011 - WPF urges HHS to do more to protect the privacy of medical research subjects

The World Privacy Forum filed extensive comments with the US Department of Health and Human Services about its proposed changes regarding the rules governing human subject medical research. In the comments, WPF noted that the HHS approach to privacy for research subjects was incomplete and did not use all Fair Information Practices. WPF strongly urged HHS to revise its proposal on a number of issues, including consent and the use of biospecimens in research. The World Privacy Forum is urging HHS to acknowledge that the realm of health data that is truly non-identifiable has shrunken remarkably, for example, biospecimens with DNA cannot be considered non-identifiable anymore. "In our comments, we are requesting that HHS give individuals the opportunity to make choices about the use of their own health data and specimens," said Executive director Pam Dixon. WPF also stated in its comments that "A central database with identifiable information about participants in human subjects research is a terrible idea." (See p. 21 of WPF comments.)

Congressional Testimony: What’s a Consumer to Do? Consumer Perceptions and Expectations of Privacy Online

WPF executive director Pam Dixon testified at a joint subcommittee hearing focused on privacy and the collection and use of online and offline consumer information. Dixon's testimony focused on the new "modern permanent record" and how it is used and created. Dixon said "The merging of offline and online data is creating highly personalized, granular profiles of consumers that affect consumers’ opportunities in the marketplace and in their lives. Consumers are largely unaware of these profiles and their consequences, and they have insufficient legal rights to change things even if they did know." The testimony explored concrete examples of problematic consumer profiling activities.

Public Comments: August 2011 - Proposed changes to the HIPAA Privacy Rule regarding Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act

The World Privacy Forum today filed its comments on the proposed changes to the HIPAA privacy rule, supporting some proposed changes and suggesting additional changes to enhance patient choice. In particular, the WPF supports the new patient right to an access report that has been added (p. 4), and has requested that Health Information Exchanges also be required to provide accountings of disclosures to patients (p. 18). The WPF generally argued that HHS needs to look forward and allow changes in information technology to fully benefit patients by providing the facility for more accounting rather than less (pp. 2-3). If the HIPAA rule gives patients a greater ability to monitor how their information is used and disclosed, patients will pay attention and requests for accounting of disclosures will become more common.

Public Comments: May 2011 - WPF requests more information about Ceridian data breach and the FTC complaint process

The World Privacy Forum filed comments with the Federal Trade Commission regarding its consent decree against Ceridian regarding a substantial data breach. WPF has requested that the Commission present more facts in the case to the public, and has also requested more clarity about the FTC complaint process, noting that it is not a transparent process for the public.

Public Comments: May 2011 - Notice of Proposed Rulemaking for the Family Educational Rights and Privacy Act FERPA

The WPF filed detailed comments on the U.S. Department of Education's notice of proposed changes to the Family Educational Rights and Privacy Act. WPF has concerns that the increased sharing of student information that the proposed rule will allow will diminish student privacy in a significant and permanent way. WPF is urging the DOE to amend its proposed rule to establish increased privacy protections for sensitive student information held in databases and elsewhere.

Major Changes Weaken FERPA

Educational Privacy -- The Family Educational Rights and Privacy Act of 1974, FERPA, has been amended substantially. The proposed amendments have been published and are open for comment until May 23, 2011. The current changes impact students' medical, educational, and informational privacy interests. WPF will be filing detailed comments on FERPA, including how the proposal interacts with California privacy laws. We will be posting additional materials on commenting soon.

WPF Resource Page: Behavioral Advertising and Privacy

Some of the advertising that is done online comes with hooks. Using a variety of technologies, some largely unseen, online advertisers can track online activities, sometimes in profound ways that consumers are not expecting. Not all online advertising has "hooks" that are problematic or that raise privacy challenges. But a type of advertising called "behaviorally targeted advertising" often does. Behavioral advertising has two key components: tracking and targeting.

WPF on EASA: Self-Regulation on Online Behavioral Advertising No Longer Credible

Comments on EASA --The World Privacy Forum submitted comments today on the European Advertising Standards Alliance's Best Practice Recommendation on Online Behavioural Advertising. Our comments focus upon three key areas: First, the EASA recommendation fails to recognize the protection of consumer privacy in Online Behavioral Advertising (OBA) as a key policy goal. Second, the recommendation's protections are narrow, creating illusory protections for user privacy, whether or not they opt out of OBA. Finally, we critique the oversight and compliance mechanisms, which are not likely to foster consumer confidence nor police the industry. Drawing upon the WPF's 2007 report, The NAI: Failing at Consumer Protection and at Self-Regulation, the comments argue that EASA's approach suffers from the same weaknesses as self-regulatory approaches deployed in the United States, and that European lawmakers should not replicate the failed American approach. Law students from the Samuelson Law, Technology & Public Policy Clinic helped draft the comments as part of an ongoing project on consumer privacy and OBA.

Public Comments: February 2011 WPF Responds to FTC's Report on Privacy

The World Privacy Forum filed comments with the FTC in response to its preliminary staff report, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers. In our comments, we urge the FTC to take affirmative steps to protect consumer privacy online and offline. Our comments include a brief history of privacy self regulation, and point out how privacy self regulation has consistently failed. The comments also discuss Do Not Track, and urge the FTC to take a broader look at tracking protections for consumers. WPF also specifically requested that the FTC identify credit reporting bureaus subject to Fair Credit Reporting Act regulations and assist consumers in locating those bureaus.

Public Comments: December 2010 Personal Health Records and online advertising

The World Privacy Forum filed comments today about how medical records and other health information is intersecting with online advertising and online activities. The WPF comments were filed with the Department of Health and Human Services in response to its request for comments on personal health records, privacy, and social media.

FTC Privacy Roundtable: WPF to testify on information brokers

FTC Privacy Roundtable -- WPF executive director Pam Dixon will testify at the FTC Privacy Roundtable about information brokers and commercial data practices and they impact consumers. Dixon will be discussing the business models of data brokers, issues with smart grids, and opt-out problems, among other issues.

World Privacy Forum comments on genetic non-discrimination to HHS

Genetic non-discrimination regulations (GINA) -- The World Privacy Forum filed comments on proposed regulations for implementing Title I of GINA, the Genetic Non-Discrimination Act. The WPF requested a change to the proposed regulations, asking the Department of Health and Human Services require immediate posting of revised notices of privacy practices on the web sites of affected health plans. Under the proposed regulations, written notice of revised privacy practices to individuals could be delayed due to the cost of postal mailing. The WPF noted that a revised privacy notice posted on a health plan's web site would not incur postal costs, and that regulated entities should take this minimum step to inform consumers of any changes regarding privacy practices affecting genetic non-discrimination.

World Privacy Forum testifies before the House Energy and Commerce Committee

Congressional testimony -- WPF executive director Pam Dixon testified at a joint subcommittee hearing focused on privacy and the collection and use of online and offline consumer information. Dixon's testimony focused on the new "modern permanent record" and how it is used and created. Dixon said "The merging of offline and online data is creating highly personalized, granular profiles of consumers that affect consumers’ opportunities in the marketplace and in their lives. Consumers are largely unaware of these profiles and their consequences, and they have insufficient legal rights to change things even if they did know." The testimony explored concrete examples of problematic consumer profiling activities.

WPF files comments for FTC Roundtables on privacy standards, consumer expectations of privacy

FTC Privacy Roundtable -- The World Privacy Forum filed comments last week for the FTC Privacy Roundtables, the first of which will be held December 7, 2009. The WPF comments urged the FTC to consider the Fair Credit Reporting Act as a key privacy model to apply to additional areas, to use the full version of Fair Information Practices, and discussed how a rights-based framework was the key to advancing consumers' interests. The comments discussed list brokers at length, and explained how even the most informationally cautious consumer will land on numerous marketing lists and databases. The WPF comments noted that not all marketing lists are used to target ads to consumers; some lists and databases are used to deny consumers goods and services. The comments contain a detailed section on privacy frameworks, a section on direct marketing, and an appendix with supporting information.

Medical data breach rule needs more work; World Privacy Forum files comments with HHS requesting changes

Data Breach | HHS HITECH Breach Notification -- The World Privacy Forum filed comments on the HHS data breach rulemaking and asked for substantive changes in several areas. In particular, WPF asked HHS to expressly state a requirement for a breach risk assessment in the final rule itself, and to set a requirement that the risk assessment must be conducted by an independent organization. The WPF also asked that HHS set breach risk assessment standards so that there is some uniformity and guidance as to what constitutes an appropriately rigorous risk assessment when a breach occurs. In the comments, WPF also discussed the relationship between medical identity theft and medical data breach and how this impacts patients and consumers.

WPF Resource Page: State Security Freeze Laws and General Information

A credit freeze (sometimes called a security freeze) lets you stop the disclosure of your credit report by a credit bureau. Currently, the three credit bureaus are allowing all consumers nationwide to set a security freeze for a fee. Some states have specific security freeze laws; a list of states with security freeze laws may be found below. However, even if you live in a state without a security freeze law, you can still set a security freeze.

WPF asks Treasury to get consumers' consent before checking their credit reports

Financial privacy - Privacy Act -- The World Privacy Forum filed comments today urging the U.S. Treasury Department to obtain consumers' consent before checking their credit reports. Consumers who participate in the government's Home Affordable Modification Program (HAMP) -- an Obama administration program created to help consumers renegotiate their mortgages so they can keep their homes -- must allow the Federal Government to check their credit reports without first obtaining consent. This procedure sets a negative precedent, and is at odds with consumer expectations of privacy. The Treasury gave itself this power in an obscure set of "Routine Uses" in a Privacy Act notice published along with the proposed system of records for the program. The World Privacy Forum has objected to this, and has filed detailed comments with the Treasury about the lack of consumer consent. The public comment period on this program is open until September 4, 2009.

Public Comments: August 2009 - WPF asks Treasury to get consumers' consent before checking their credit reports

The World Privacy Forum filed comments today urging the U.S. Treasury Department to obtain consumers' consent before checking their credit reports. Consumers who participate in the government's Home Affordable Modification Program (HAMP) -- an Obama administration program created to help consumers renegotiate their mortgages so they can keep their homes -- must allow the Federal Government to check their credit reports without first obtaining consent. This procedure sets a negative precedent, and is at odds with consumer expectations of privacy. The Treasury gave itself this power in an obscure set of "Routine Uses" in a Privacy Act notice published along with the proposed system of records for the program. The World Privacy Forum has objected to this, and has filed detailed comments with the Treasury about the lack of consumer consent. The public comment period on this program is open until September 4, 2009.

FTC issues final rule on health data breaches

Health data breach rulemaking -- The Federal Trade Commission has issued its final Health Breach Notification Rule for vendors of Personal Health Records and related entities, as required under ARRA, The American Recovery and Reinvestment Act of 2009. The initial proposed Health Breach Notification Rule was generally thoughtful and thorough. The World Privacy Forum submitted extensive comments on the proposed rule both supporting parts of it and making some suggestions for changes. The FTC incorporated several specific WPF suggestions into the final rule. In particular, the FTC incorporated the applicability of the rule to foreign entities with U.S. customers (Final Rule p. 17), and the applicability of the rule to search engines appearing on Personal Health Record web sites (Final Rule p. 34). The new rule will be published in the Federal Register shortly; until then, it is available at the FTC web site. Also available is a form that entities covered under this rule can use to report data breaches to the FTC. The Health Breach Notification Rule will be effective 30 days after publication in the Federal Register, and full compliance with the rule will be required beginning 180 days after publication.

Public Comments: August 2009 - WPF files comments on government use of web tracking technologies

The World Privacy Forum filed comments with the Office of Management and Budget regarding its proposal to begin to allow the use of tracking cookies on government web sites. The proposal was published in the Federal Register, and outlined a three-tiered plan for how web tracking technologies might be used. The Forum's comments focused on methods of opt-out, data retention, secondary use, user authentication, new tracking technologies such as Flash cookies, and the need for new opt-out mechanisms. The Forum also urged the federal government to not allow third party tracking of consumers' use of government web sites, and to guard against any discrimination against consumers who do not want to be tracked.

Letter: July 2009 WPF letter to Los Angeles Mayor regarding cloud computing privacy issues

The World Privacy Forum sent a letter to Los Angeles Mayor Villaraigosa today expressing concerns and questions about a proposed contract to move the city of Los Angeles' email and some other computing tasks to a cloud-based system. The Forum expressed concerns in particular about the lack of contractual protection for health data, AIDs data, genetic information, domestic violence and sexual assault victim information, among other sensitive information. The Forum suggested the city undertake an independent and thorough risk assessment prior to completing the contract, and suggested a robust public comment process that includes all stakeholders. The City will take up the issue of this contract at a city council Information Technology Committee meeting on Tuesday July 21. The World Privacy Forum published a detailed analysis of the privacy issues of cloud computing in February which outlines the challenges and ambiguities that governments and others face as they make decisions about what data to put in the cloud.