Protecting Privacy in Online Identity: A Closer Look at the Fair Credit Reporting Act
March 1, 2010
Last week, CDT submitted comments to the Federal Trade Commission (FTC) highlighting the need to develop some type of private or public legal regime that ensures identity providers properly safeguard consumer privacy in the emerging identity management industry. Specifically, the comments suggest that the Fair Credit Reporting Act (FCRA) may apply to identity providers in certain circumstances based on a review of the statutory text and relevant case law. If FCRA does indeed apply, identity providers would be required to comply with a pre-existing statutory regime and certain Fair Information Practice (FIP) principles that are already incorporated into the law. We submitted these comments in advance of the FTC’s third “Exploring Privacy” roundtable, which will be held on March 17, 2010. CDT also separately submitted comments on health information privacy.
Whether or not FCRA applies (this is still very much an open legal question), the statute details certain FIPs-like obligations that identity providers and relying parties – entities using, or relying on, identity information – should incorporate into their practices. Conforming to the FIPs laid out in the statute, which emphasize consumer notice, consent, access, correction, timeliness and secondary use limitations, will significantly benefit consumer privacy and will instill the trust to help identity providers grow.
CDT does not believe relying on FCRA is necessarily the best approach here. Rather, we have previously suggested a contract regime could be used to govern these entities. That is, developing a meaningful three-party contract between the user, identity provider and relying party could prove to be a particularly useful way to govern identity management systems and protect privacy. No matter the approach adopted – a contract regime, relying on existing regulatory frameworks, i.e., a FCRA regime, or a new policy and/or law – what is critical is that we ensure identity providers protect privacy. And what FCRA does offer is at least a good starting point for the FIP principles that should be implemented in this space.
FCRA is a complicated statute that regulates the collection, dissemination and use of consumer information for various purposes, including, but not limited to, eligibility for credit, insurance and employment. What we found is that identity providers may indeed be doing specialized types of background checks for online consumer or government services that Congress envisioned regulating when enacting the statute.
One thing is clear to everyone, this space is still very new, so please read our full comments and give us feedback.