This story was written by Keith Dawson for UBM DeusM’s community Web site Business Agility, sponsored by IBM. It is archived here for informational purposes only because the Business Agility site is no more. This material is Copyright 2012 by UBM DeusM.

Privacy: Consumer Bill of Rights and Do-Not-Track Coming

Major privacy developments at federal and state levels.

The White House announced a Consumer Privacy Bill of Rights, the advertising industry promised to honor "Do Not Track," and California got tough on mobile privacy. Agile companies will be keeping an eye on these developments and adjusting customer-facing policies as they see the need.

Action on the privacy front was breaking out all over yesterday. First, California: the Attorney General of that state announced an agreement with the major makers of mobile device operating systems --, Apple, Google, Hewlett-Packard, Microsoft, and Research in Motion -- to require apps to display a conspicuous privacy policy. Only 5 percent of mobile apps do so now. In addition, app store providers like Apple and Google are required to offer ways for users to report apps that do not comply.

The California AG also joined with 35 of her peers on Wednesday in signing a letter addressed to Google, protesting that company's plan to modify its privacy policy and track users' activity across its various services, beginning March 1.

At the federal level, on Wednesday the White House unveiled a proposed Consumer Privacy Bill of Rights (CNET has a good summary). The Commerce Department will begin meeting with industry representatives, privacy advocates, and others to develop enforceable policies based on the principles in the Bill of Rights, which include:

The administration said it would work with Congress to get those principles encoded into law, and harmonized with privacy regimes in other countries as well. (The US has been an outlier in not embracing article 12 of the Universal Declaration of Human Rights; the proposed Bill of Rights brings this country closer to the EU's practice.)

Rounding out this week's big privacy news, the advertising industry has promised to honor browser-based Do Not Track requests from users, as first reported on Wednesday by the Wall Street Journal. The Digital Advertising Association (DAA), which has been resisting Do Not Track for years, said it will work with the major browser makers to arrive at a (we hope) simplified and uniform way for Web users to declare that they prefer not to be tracked across the Web.

Do Not Track is an idea first championed by privacy researcher Christopher Soghoian three years ago; he recounts the history in a post titled Do Not Track: First they ignore you, then they ridicule you, then they fight you, then you win. DNT is a simple header sent by the browser with every Web (HTTP) request; it has been implemented in Firefox, Internet Explorer, Opera, and Safari. Only Chrome has been a holdout, but among the flurry of announcements on Wednesday came word that Google would be implementing Do Not Track in Chrome.

Until these announcements, the problem was that few if any advertising companies paid attention when they saw a Do Not Track header. With the commitment by the DAA that it will require its members to honor Do Not Track, within a year more than 90 percent of advertisers should be on board.

What does "honoring Do Not Track" entail? A working group of the World Wide Web Consortium (W3C) has been meeting to define exactly that -- it's not a simple problem. The first report in the Wall Street Journal left some doubt as to whether the DAA would be using the W3C's definition of Do Not Track, or something else; now it is clear that the W3C will be deeply involved with the advertising industry as the DAA's plan unfolds over the coming months. In fact, many of the DAA's member companies have been meeting with the W3C working group since last fall to define and standardize Do Not Track (there's a summary of their progress on the Opera site).

So a year from now, it should be possible for an average user to click a DNT button in any browser to opt out of the vast majority of advertiser tracking and targeted advertising. But note that Facebook considers Do Not Track an interesting idea that doesn't apply to them. It will be instructive to see whether Google decides that something similar holds for its Google+ network -- though its Doubleclick advertising network will be compliant.

This week's events are a clear indication that the winds blowing in the direction of consumer privacy have become a gale; and this is before Congress gets down to serious work on legislation. You'll want to keep watch on these developments and assure that customer-visible processes stay in alignment with your privacy policies.