While I was doing some research on consumer protections in my Cyberspace Law class, I encountered the following policy that is certainly on the horizon for consumer protections. You can find the original press release here:

Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework, The Department of Commerce internet policy task force, publication,  http://www.commerce.gov/news/press-releases/2010/12/16/commerce-department-unveils-policy-framework-protecting-consumer-priv, copyright 2010

Some highlights from the report:

• “The Task Force recommends adoption of a baseline commercial data privacy framework built on an expanded set of Fair Information Practice Principles (FIPPs). Commercial data privacy legislation includes a private right of action.” (We already have a private right of action called “law suit” but I suspect that there will be a mechanism for reporting violations to the soon to be newly created PPO similar to how you file an FCC complaint. This will be a persistent thorn in the corporate side. Information security will have an even closer relationship with the General Counsel I predict.)

 

• “To meet the unique challenges of information intensive environments, Fair Information Practice Principles (FIPPs) regarding enhancing transparency; encouraging greater detail in purpose specifications and use limitations; and fostering the development of verifiable evaluation and accountability should receive high priority.” (Get ready for more control evaluations and retention of evidence here.)

Also in the report, the creation of yet another government agency. Clearly stated, the “Commerce Department will establish a Privacy Policy Office (PPO) to serve as a center of commercial data privacy expertise. This means more legislative requirements imposed upon retailers and commerce companies.”

At a minimum, there will be:

• Increased corporate disclosure requirements. (Left alone, in my experience, corporations will err on the side of profit rather than what is honorable.)

• Breach notification requirements. (While we already have a degree of this, the thresholds will be accelerated. I think there will be public facing systems of record sites created by watch-dog agencies disclosing a company’s breach reporting history. Smart consumers will use this to make purchasing decisions.)

• Consumer privacy technologies allowing consumers to have vendor verification of proper personal information protections and usage controls. (In my opinion, there will be new consumer mechanisms built into a commerce companies site that enables the customer access to corporate control reports.)

• Update the Electronic Communications Privacy Act (ECPA) to include cloud and hosted environments. (Cloud and hosted environments have been a “Safe Haven” for commercial companies up until now. These outsourced sites have reduced regulatory reporting and diluted consumer protections by taking security out of the corporations list of responsibilities and dumping them onto the hosting companies. The key with hosting company’s is in establishing a progressive contractual agreement and being vigilant. Buyers beware!)