NTIA Consumer Privacy Strategy: Part 2 - Goals for Federal Action

In the second part of this article titled NTIA Consumer Privacy Strategy, we consider the NTIA’s proposed High-Level Goals for Federal Action. Also, we invite your comments on the responses received from big tech companies, associations and industry leaders.

As a result of its Request for Comments (RFC), the NTIA received comments and feedback on the following high-level goals for Federal action (abridged). The RFC document states; …these goals should be understood as setting the broad outline for the direction that Federal action should take, in addition to comments on the goals. The NTIA requested comments with details on how these goals can be achieved.

High-Level Goals for Federal Action (abridged)

  • Harmonize the regulatory landscape

While the sectoral system provides strong, focused protections and should be maintained, there is a need to avoid duplicative and contradictory privacy-related obligations placed on organizations.

  • Legal clarity - while maintaining the flexibility to innovate

The ideal end-state would ensure that organizations have clear rules that provide for legal clarity, while enabling flexibility that allows for novel business models and technologies, as well as the means to use a variety of methods to achieve consumer-privacy outcomes.

  • Comprehensive application

Any action addressing consumer privacy should apply to all private sector organizations that collect, store, use, or share personal data in activities that are not covered by sectoral laws. The differences between business models and technologies used should be addressed through the application of a risk and outcome-based approach,

  • Employing a risk and outcomes approach

Instead of creating a compliance model that creates cumbersome red tape, the approach to privacy regulations should be based on risk modeling and focused on creating user-centric outcomes:

  • Risk-based approaches allow organizations the flexibility to balance business needs, consumer expectations, legal obligations, and potential privacy harms, among other inputs, when making decisions about how to adopt various privacy practices.

  • Outcome-based approaches also enable innovation in the methods used to achieve privacy goals.

  • Risk and outcome-based approaches have been successfully used in cybersecurity, and can be enforced in a way that balances the needs of organizations to be agile in developing new products, services, and business models with the need to provide privacy protections to their customers

  • Interoperability

The growth and advancement of the internet-enabled economy depends on personal information moving seamlessly across borders. The Administration recognizes that governments approach consumer privacy differently, creating the need for mechanisms to bridge differences, while ensuring personal data remains protected.

  • Incentivize privacy research

The Administration recommends that the U.S. Government should encourage more research and development of products and services that improve privacy protection. These technologies and solutions will include measures built into system architectures or product design to mitigate privacy risks, as well as usability features at the user interface level.

  • FTC enforcement

Given its history of effectiveness, the FTC is the appropriate federal agency to enforce consumer privacy with certain exceptions made for sectoral laws outside the FTC’s jurisdiction, such as HIPAA. It is important to take steps to ensure that the FTC has the necessary resources, clear statutory authority, and direction to enforce consumer privacy laws...

  • Scalability

The Administration should ensure that the proverbial sticks used to incentivize strong consumer privacy outcomes are deployed in proportion to the scale and scope of the information an organization is handling. In general, small businesses that collect little personal information and do not maintain sensitive information about their customers should not be the primary targets of privacy-enforcement activity, so long as they make good-faith efforts to utilize privacy protections.

In the Request for Comment document, the NTIA made clear that it was primarily seeking feedback on what it believes are the core privacy outcomes that consumers can expect from organizations, as well as the proposed high-level goals for an end-state for U.S. consumer-privacy protections.

For example:

  • are there other outcomes that should be included, or outcomes that should be expanded upon?

  • are the descriptions clear?

  • are there any issues raised by how the issues are described? and;

  • are there any risks that accompany the list of outcomes, or the general approach taken?

Responses to the RFC

Many of the 217 responses received by 11-13-2018, published on the NTIA website, are comprehensive to say the least, with some running into hundreds of pages in length. We have therefore hand-picked a number of extracts from the responses received. These will appear in subsequent posts concerning this topic.

In order to ‘get the ball rolling’ here are the first three extracts for your comments:

e.g. Do you support the introduction of Federal legislation? Should Federal consumer privacy laws be integrated with measures already being implemented by individual States i.e. California’s CCPA?

We have provided a link to the complete list of RFC responses at the bottom of this post, enabling access to the full text of the responses received.

Amazon

“[Third] we support NTIA’s goal to harmonize the regulatory landscape in order to avoid a patchwork of obligations that will burden organizations and confuse users. For the United States to lead on privacy, we need a consistent approach to privacy that provides clarity for American consumers and businesses. Privacy regulation should ensure that any additional overhead and administrative demands placed on organizations actually produce commensurate consumer privacy benefits.”

Google - “Toward a Comprehensive Baseline Privacy Framework”

“Google firmly believes that federal legislation is the best path to realize NTIA’s stated goals and reaffirms our long-standing support for smart and strong comprehensive baseline privacy legislation that enshrines high standards of privacy for everyone. Though there are meaningful and effective privacy protections in existing domestic law, regulations, and jurisprudence, we can improve upon the current framework with a comprehensive baseline privacy law that extend rights and protections by codifying long-standing privacy principles and unifying the U.S. approach. If well-crafted the new baseline could make privacy more workable for all Americans and provide the certainty and flexibility businesses of all types and sizes depend upon to continue investing and innovating.”

National Retail Federation - “Harmonize the Regulatory Landscape”

“American businesses, including retailers, recognize that they cannot solely concentrate their data privacy protection practices on compliance with U.S. federal and state data privacy regulations. Conceivably, a data regulation adopted halfway around the world –such as in the European Union (EU) – may impact a U.S. business operating entirely within our national borders and employing only American workers. Retail businesses are also acutely aware of the potential for 50 different U.S. states and an untold number of foreign governments to propose new data regulations each year that have a global reach, just like the nature of the data each law intends to regulate.”

Post your comments below and tell us what you think about the NTIA plans for a Federal approach to U.S. Consumer Privacy.

Sources and credits: NTIA RFC Consumer Privacy

Responses to RFC: https://www.ntia.doc.gov/other-publication/2018/comments-developing-administration-s-approach-consumer-privacy