NTIA Seeks Comment on a Flexible, Risk-Based Approach to Consumer Privacy
While the RFC stops short of specifically calling for federal privacy legislation, one of the high-level goals identified in the RFC is to harmonize consumer privacy regulation, and the RFC asks for comment on whether legislation is needed to achieve federal goals. The RFC notes that it is not proposing any changes to current consumer privacy "sectoral laws," including the Children's Online Privacy and Protection Act, Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPPA) and the Fair Credit Reporting Act.
This RFC comes at a time when there is a new wave of interest in federal privacy legislation, which has been controversial to date. Recently, representatives of a number of leading technology companies and others testified before Congress in favor of such legislation. Their position reflects recognition that US companies may be better off with uniform standards rather than attempting to comply with the different standards set by various state privacy laws.
The RFC proposes that consumer privacy "refocus on the outcomes of organizational practices, rather than on dictating what those practices should be." The collection, use, storage, and sharing of information, as well as user transparency, control and access, should be "reasonable" and "appropriate to the context." The RFC emphasizes balancing flexibility with the need for legal clarity and strong consumer protections. Thus, the RFC proposes a risk-management approach that "affords organizations flexibility and innovation in how to achieve" the privacy outcomes listed below.
- Transparency. Users should be able to easily understand how an organization collects, stores, uses, and shares their personal information. The RFC points out that lengthy privacy notices in many cases do not lead to adequate user understanding.
- Control. Users should be able to exercise reasonable control over the collection, use, storage, and disclosure of the personal information they provide to organizations.
- Reasonable minimization. "Data collection, storage length, use, and sharing should be minimized in a manner and to an extent reasonable and appropriate to the context and risk of privacy harm."
- Security. Organizations should employ security safeguards to protect personal information they collect, store, use, or share.
- Access and correction. Users should have reasonable access to their personal data and the ability to amend or delete that data, given the context of the data flow and risk of privacy harm.
- Risk management. "Users should expect organizations to take steps to manage and/or mitigate the risk of harmful uses or exposure of personal data."
- Accountability. "Organizations should be accountable externally and within their own processes for the use of personal information" they or their third-party vendors collect, maintain and use in their systems.
High-Level Goals for Federal Action.
The RFC describes the goals below as a nonexhaustive and nonprioritized list of the Administration's priorities.
- Harmonize the regulatory landscape. The RFC notes that there is a need to avoid duplicative and contradictory privacy-related obligations placed on organizations.
- Legal clarity while maintaining the flexibility to innovate. This goal would ensure organizations have clear rules, while providing flexibility for novel business models and technologies and allowing a variety of methods to achieve privacy outcomes.
- Comprehensive application. Any action should apply to all private-sector organizations that collect personal data not otherwise subject to the sectoral laws noted above.
- Employ a risk- and outcome-based approach. "Risk-based approaches allow organizations the flexibility to balance business needs, consumer expectations, legal obligations, and potential privacy harms, among other inputs . . . ."
- Interoperability. This goal would develop "a regulatory landscape that is consistent with the international norms and frameworks in which the United States participates, such as the APEC Cross-Border Privacy Rules System."
- Incentivize privacy research. The government should encourage development of products and services that improve privacy protections.
- FTC enforcement. The RFC states that the FTC is the appropriate federal agency to enforce consumer privacy, with exceptions for certain areas covered by the sectoral laws noted above (e.g., HIPPA).
- Scalability. Small businesses that collect little personal information and do not maintain sensitive information should not be primary enforcement targets as long as they are making good-faith privacy protection efforts.
Request for Comment
Below are some of the key questions the RFC identifies for comment.
- Feedback on the sets of core primary outcomes consumers can expect and high level goals:
- Are there other outcomes and goals that should be considered?
- Are descriptions clear?
- What are the risks to these outcomes and goals?
- What steps should the Administration take to effectuate the outcomes and achieve the goals?
- Executive actions?
- Recommended statutory changes?
- Other means?
- Are there any terms that need more precise definition?
- Any suggestions on how to define terms and what definitions should be?
- Any changes needed regarding FTC's resources, processes or statutory authority?
- Cross-border trade benefits
- If other countries replicated the outcomes and goals described in the RFC, would it be easier for US companies to provide goods and services in those countries?
- US leadership
- Are there other ways to achieve US leadership that are not included in this RFC? Any outcomes or goals in this RFC that are detrimental to US leadership?
© Arnold & Porter Kaye Scholer LLP 2018 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.