The deadline for submitting comments on the National Telecommunications and Information Administration’s (NTIA) proposed approach for federal privacy law was extended recently to November 9, 2018.
Here’s what I submitted to the NTIA this morning. It’s not too late for you to do the same.
Re: Docket 180821780-8780-01
Federal Register Vol. 83, No. 187, p. 48600 – 48603
Developing the Administration’s Approach to Consumer Privacy
To Whom It May Concern:
Thank you for providing the opportunity to comment on the Administration’s proposed approach to consumer privacy. I have a few concerns I wish to raise.
1. Concerning Section I.B(4) – the Self-Regulatory Approach Proposed
It is not completely clear whether the approach detailed in the RFC would lead to federal law governing the collection, storage, use and sharing of consumer information, or merely to voluntary guidelines. Since the RFC cited both the NIST “voluntary risk-based Privacy Framework” as well as the self-regulatory Fair Information Practice Principles (FIPP), one could conclude that the NTIA is proposing a voluntary approach. This is important and should be clarified.
Assuming a voluntary approach is being proposed, the Administration should re-review the findings of the FTC “Privacy Online” report to Congress in June of 1998. The FTC concluded, with respect to FIPP, that:
To date, industry has had only limited success in implementing fair information practices and adopting self-regulatory regimes with respect to the online collection, use, and dissemination of personal information.
It is out of the limited success of these self-regulatory regimes that laws like the Children’s Online Privacy Protection Act of 1998 came to be and, more recently, that individual states have enacted non-voluntary regulations like the California Consumer Privacy Act of 2018.
It is noteworthy that although FIPP recommends that consumers should be given notice of information practices before any personal information is collected from them, that it wasn’t until the enactment of the EU’s General Data Protection Regulation in 2018 that such notices were added to the online sites of many U.S. based businesses.
2. Concerning Section I.B(1) – Regulatory Harmonization
This section seems to suggest that the Administration will be seeking to preempt the privacy regulations enacted independently in states like California and Vermont with voluntary principles. This is important and should be clarified.
Although the RFC makes a valid point about the added burden incurred by businesses to respect the various regulations in each of the states in which they do business, preempting state regulations with federal voluntary principles will undermine the trust that is just beginning to be re-built between consumers and businesses in states with new privacy regulations on the books.
If the Administration is to craft preemptive law, it would be better for it to be a non-voluntary regulatory framework that leverages some or all of the requirements of California Consumer Privacy Act of 2018 and the Vermont Data Broker Law of 2018.
Further, similarly, it is not clear whether the “Risk Management” outcome (Section I.A(6)) is intended to preempt states’ data breach disclosure laws. If so, then a non-voluntary regulatory framework (with the state laws informing a minimum) is far more likely to be effective at increasing consumer trust than stripping states’ breach notification protections.
3. Response to Section II.G – “Are there… any outcomes or high-level goals in this document that would be detrimental to achieving the goal of achieving U.S. leadership?”
Although the outcomes enumerated in section I.B of the RFC (e.g. transparency, control, minimization, security, access and correction, etc.) laudably mirror recently enacted privacy regulation abroad and within, I believe relying on voluntary principles being adopted by industry and preempting state law would, instead, directly undermine the goal of achieving U.S. leadership in online privacy.
Thank you for taking these concerns into consideration.
WordPress Core Contributor for Privacy
26 years professional experience in engineering, software development and management
Alumni, Virginia Polytechnic Institute and State University, BSEE