Last week, the National Telecommunications and Information Administration (“NTIA”) released submissions it had received from the Federal Trade Commission (“FTC”) staff and many other parties on NTIA’s proposed framework for advancing consumer privacy while protecting innovation. Although NTIA did not request comments on a possible federal privacy bill, most submissions took the opportunity to inform NTIA of what such a federal privacy bill should look like.
In its comments, FTC staff focused on four major themes: transparency, control, enforcement, and security. With respect to transparency, it suggested privacy policies—while valuable, because they help enforcers “hold companies to their promises”—should more closely align with “consumer demand for information” and avoid “ legalese” or “bloat.” And with respect to consumer control over personal data, FTC staff supported a balanced approach. In certain situations, it suggested, companies need not obtain explicit consent from consumers in order to collect and process their data, as when websites “collect click-through rates” or retailers “collect and disclose de-identified data.” But consent obligations would be triggered if companies wanted to collect sensitive data or use data in ways materially inconsistent with original representations.
The European Commission generally supported the NTIA’s proposal but stressed that privacy protections must be grounded in legislation. Moreover, the European Commission urged NTIA to expand its proposal. For instance, it argued that companies should not be able to process consumer data without a lawful basis for doing so—an idea that is at the core of the European Union’s General Data Protection Regulation (“GDPR”). The European Commission also urged NTIA to add specific protections for “sensitive data” and a requirement to report data security breaches. These principles, it stated, already are codified in the EU-US Privacy Shield. The European Commission also urged NTIA to go beyond the right to access and correct data, and to provide safeguards against biased algorithms.
Several key themes emerged in submissions from industry associations such as the U.S. Chamber of Commerce and the American Advertising Federation. These groups urged passage of a federal privacy law that would preempt state laws—including state data-breach notification laws—and promote international data transfers. New legislation should be technology-neutral, they stressed, although special accommodations may be appropriate for smaller companies. The law’s requirements also should be flexible—these groups generally supported the NTIA’s “risk-based” approach—such that the rights of consumers and obligations of companies would depend on context. And these industry associations stressed that the FTC should remain the country’s primary privacy enforcer; consumers, they maintained, should not have a private right of action. Several groups also noted that data minimization requirements should not hamper efforts to advance AI and machine learning, which depend on the collection and analysis of “Big Data.”
Consumer groups, on the other hand, were generally critical of the NTIA’s proposed “risk-based approach.” Some supported an “opt in” consumer consent model and argued that consumers should have private rights of action under any new statute. The Electronic Privacy Information Center perhaps went the furthest on enforcement, suggesting that FTC enforcement has been inadequate and that a new statute should create a new federal privacy agency.
All of the comments submitted last week can be accessed here.