Consumer Privacy Protections Need Review, GAO Tells Congress

The legal patchwork that exists to protect consumer privacy must be carefully reviewed and possibly overhauled to ensure that consumers have a voice in how their personal information is used, a new congressional watchdog report has concluded.

The statutory framework for consumer privacy doesn't fully address the advent of new technologies and Internet communications, nor does it take into account a rising demand for personal information in the marketplace, the Government Accountability Office states in a report made publicly available Nov. 15.

The lack of an overarching federal privacy law that addresses the collection and sale of personal information among private-sector companies and information resellers may be leaving consumers vulnerable to the exchange and sale of their information in ways they would not approve, the GAO said.

The GAO conducted its investigation for Sen. John D. Rockefeller IV (D-WV), who chairs the Senate Committee on Commerce, Science, and Transportation. He has been keenly interested in how the Internet influences commerce and the implications of unrestricted collection of online data.

"I am afraid... that the need to monetize consumers' data will win out over privacy concerns," Rockefeller said during a Senate hearing in May 2012. He called self-regulation "inherently one-sided," and he worried that "consumers' rights always seem to lose out to the industry's needs."

[Consumer privacy risks also affect the workplace. Read: Facebook Graph Search: 5 Privacy Settings To Check]

The GAO found that no federal statute gives consumers the right to learn what information is held about them and who holds it. In many circumstances, consumers do not have the legal right to control the collection (or sharing with third parties) of sensitive information, such as their shopping habits and health interests, for marketing purposes.

The Obama administration has worked to take a proactive stand on consumer privacy issues. The Privacy and Innovation Blueprint it released last year includes a proposed consumer privacy Bill of Rights that embodies a set of principles governing the handling of personal data in commercial sectors that are not subject to current federal statutes.

For the most part, the laws on the books related to the collection and sale of personal information address specific purposes, situations, or entities governing the use of personal information, the GAO said, but they do not furnish broad and comprehensive protections.

Though marketing industry representatives maintain that privacy laws are adequate, and that companies involved in the collection and sale of consumer information apply self-regulatory measures to their business, the GAO found significant gaps in legal protections for privacy. Moreover, it said the statutory framework does not truly reflect the Fair Information Policies Principles, which are widely accepted principles protecting the privacy and security of personal information. These principles that have guided privacy recommendations made by federal agencies.

The debate over privacy protection has been heated. On one side are privacy advocates who say that an overarching privacy law would offer more consistency and address gaps left by the sector-specific approach. They say there is a real need to give consumers control of their information when it is used for a purpose beyond that for which it was originally provided.

On the other side are individuals and groups that say a one-size-fits-all approach would be overly burdensome and restrictive. They hold that restrictions on the collection and use of personal data would boost compliance costs, inhibit innovation, and keep consumers from receiving relevant advertising and beneficial products and services.

The GAO interviewed representatives of the reseller and marketing industries, consumer and privacy groups, and federal agencies. It recommends that Congress consider strengthening the consumer privacy framework to reflect changes in technology and the increasing demand for consumer information.

Federal lawmakers should find ways to furnish consumers with appropriate privacy protections without unduly inhibiting commerce and innovation, the report said.

Consumerization 1.0 was "we don't need IT." Today we need IT to bridge the gap between consumer and business tech. Read the "Consumerization 2.0 issue of InformationWeek. Also in the report: Stop worrying about the role of the CIO (free registration required).