NTIA Consumer Privacy Strategy: Part 1 - Proposed Approach
In September 2018, the National Telecommunications and Information Administration (NTIA) invited public comments on its proposed approach to consumer privacy. The request, on behalf of the U.S. Department of Commerce, was for comment on ways to advance consumer privacy, while protecting prosperity and innovation. By November 13, the request for comment had generated an avalanche of valuable feedback from corporations, associations and other contributors across the nation - 217 of which are published on the Administration’s website.
The Administration notes that individuals interact daily with a vast range of online products and services. Most often, these products and services require the collection, storage, and processing of users’ personal data. Users are ‘required’ to trust that organizations will treat the information they share with respect. Individuals also want to know what is happening with their personal information and decide whether they are comfortable with sharing this data.
A growing number of foreign countries, and some U.S. states, have articulated - and in some cases, fully implemented - their own specific solutions for addressing data privacy, e.g. The EU General Data Protection Regulation (GDPR). The NTIA describes this situation as:
“leading to a nationally and globally fragmented regulatory landscape. Such fragmentation naturally disincentivizes innovation by increasing the regulatory costs for products that require scale.”
The NTIA has stated that it “hopes to articulate a renewed vision, one that reduces fragmentation nationally and increases harmonization and interoperability nationally and globally.”
The NTIA's approach to consumer privacy is based on:
a set of high-level goals that describe the outlines of the ecosystem that should be created to provide those protections.
The Administration stressed that the RFC was not calling for the creation of a statutory standard. Instead, it asked commenters to respond with how they believe these privacy outcomes and goals can be achieved. It is hoped that comments received will "help to inform future Administration policy, actions, and engagement on consumer privacy."
Privacy Outcomes (abridged)
“The desired outcome is a reasonably informed user, empowered to meaningfully express privacy preferences, as well as products and services that are inherently designed with appropriate privacy protections,”
The Administration proposes privacy outcomes be implemented based on a risk management approach. One that allows organizations the flexibility and innovation they need in order to achieve these outcomes.
In its 4-page RFC document, the NTIA stated that the following privacy outcomes (abridged) should be read as “a set of inputs for building better privacy protections into products and services” - not as the proposed text of a legal standard.
Users should be able to easily understand how an organization collects, stores, uses, and shares their personal information. Transparency can be enabled through various means. Organizations should consider how the average user interacts with a product or service - and maximize the intuitiveness of how it conveys information to users.
Users should be able to exercise reasonable control over the collection, use, storage, and disclosure of the personal information they provide to organizations. However, which controls to offer, when to offer them, and how they are offered should depend on context, taking into consideration factors such as a user’s expectations and the sensitivity of the information.
Data collection, storage length, use, and sharing by organizations should be minimized in a manner and to an extent that is reasonable and appropriate to the context and risk of privacy harm. Other means of reducing the risk of privacy harm (e.g., additional security safeguards or privacy enhancing techniques) can help to reduce the need for such minimization.
Organizations that collect, store, use, or share personal information should employ security safeguards to secure these data. Users should be able to expect that their data are protected from loss and unauthorized access, destruction, use, modification, and disclosure. Further, organizations should take reasonable security measures appropriate to the level of risk associated with the improper loss of, or improper access to, the collected personal data;
Access and Correction
Users should have qualified access personal data that they have provided, and to rectify, complete, amend, or delete this data. This access and ability to correct should be reasonable, given the context of the data flow, appropriate to the risk of privacy harm, and should not interfere with an organization’s legal obligations, or the ability of consumers and third parties to exercise other rights provided by the Constitution, and U.S. law, and regulation.
Users should expect organizations to take steps to manage and/or mitigate the risk of harmful uses or exposure of personal data. Risk management is the core of this Administration’s approach, as it provides the flexibility to encourage innovation in business models and privacy tools, while focusing on potential consumer harm and maximizing privacy outcomes.
Organizations should be accountable externally and within their own processes for the use of personal information collected, maintained, and used in their systems. As described below in the High-Level Goals for Federal Action section, external accountability should be structured to incentivize risk and outcome-based approaches within organizations that enable flexibility, encourage privacy-by-design, and focus on privacy outcomes.
In part 2, we look at the NTIA’s proposed goals for Federal action and examine some of the responses to the RFC, from tech giants, trade associations and others.