DOC green paper

Speaking at today’s Senate Commerce Committee hearing on “The State of Online Consumer Privacy,” Assistant Secretary of Commerce Lawrence E. Strickling stated that the Obama administration supports comprehensive privacy legislation.  As we noted in yesterday’s post, this announcement represents a shift in Administration policy.  Although in its December 2010 “Green Paper,” Commerce recommended that consumers’ online activities be subject to greater protections, the Department stopped short of embracing baseline legislation as the way to ensure such protections.  Strickling explained today that after reviewing the dozens of comments submitted in response to the Green Paper, the Department concluded that privacy legislation should be the foundation of the U.S. privacy framework.Continue Reading Administration Calls for Privacy Legislation

We have previously blogged on the FTC’s privacy report on “Protecting Consumer Privacy in an Era of Rapid Change” and the Department of Commerce’s Green Paper on “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.”  We have also published client alerts on the FTC report and the DOC green paper.  In this and two subsequent blog posts, I will share some observations on themes in these proposed frameworks that have implications for how companies approach their IT contracts.  

My first observation is that both the report and the green paper emphasize the need for a coordinated and well managed set of policies with respect to privacy and security arrangements in contracts with third party business partners. 

The FTC’s framework advocates for “privacy by design” where companies promote consumer privacy throughout their organizations.  As companies’ operations are supported by a complex mix of internal and external IT resources, privacy by design necessitates that privacy and security considerations be addressed in every contract with an external IT service provider. 

The DOC focus is on broader adoption of better Fair Information Practice Principles (FIPP) backed up by the ability to assess and audit compliance.  In relation to external IT resources, that ability to assess and audit is wholly dependent on the terms of the contract between the customer and the provider.  IT contracts also need to require that the provider comply with the customer’s policies on FIPPs. Continue Reading Implications of the FTC Report and DOC Green Paper for IT Contracts