The Department of Commerce’s National Telecommunications and Information Administration (NTIA) sought public comment Wednesday on how to begin the process of developing voluntary codes of conduct governing consumer privacy, as called for in the privacy framework released by the White House last month.
That report argues that companies should follow seven basic principles — a Consumer Privacy Bill of Rights — when collecting, using, or disclosing consumers’ personal data. These principles are: individual control; transparency; respect for context; security; access and accuracy; focused collection; and accountability.
The framework calls on Congress to codify the general principles through legislation while stakeholders develop voluntary codes of conduct to implement the principles in particular sectors. The framework tasks the NTIA with setting up an open process in which all interested stakeholders — including companies, consumer advocates, and government officials — would develop conduct codes by consensus.
Consistent with the White House’s framework, the NTIA will convene and facilitate the discussions but will not dictate the results. Adoption of these codes would be voluntary, but the framework envisions that a company’s violation of a code it publicly committed to follow could be punished by the Federal Trade Commission under the FTC’s authority to punish unfair or deceptive practices.
In Wednesday’s notice, the NTIA asks for comments in two general areas: (1) which substantive topics should be addressed first, and (2) what procedures the multistakeholder process should use.
The notice suggests that the initial process could focus on implementing the transparency principle across various sectors, with more comprehensive codes developing over time. The notice particularly suggests focusing on improving transparency in mobile-application privacy notices. The NTIA notes recent studies that found many mobile apps lack privacy policies, as well as an FTC staff report that called for better parental notices in apps directed to children.
The NTIA suggests several other potential topics, although the notice emphasizes that comments are welcome on any other privacy issues. The possible topics highlighted by NTIA are:
- Mobile apps in general (e.g., a conduct code implementing the full Consumer Privacy Bill of Rights for mobile apps)
- Mobile apps that provide location-based services
- Cloud computing services
- Accountability mechanisms
- Online services directed to children and teenagers
- Trusted identity systems
- The use of multiple technologies (such as browser cookies, the browser cache, and Flash cookies) to collect personal data.
The NTIA notice also asks for comments on how the multistakeholder process should be structured, and in particular whether procedures used by other Internet-policy groups (such as the Internet Corporation for Assigned Names and Numbers and the World Wide Web Consortium) might provide helpful examples.
Other questions include:
- How to ensure the process is open to all interested stakeholders as a practical matter (including what, if any, pre-requisites there should be for participation).
- How to ensure the process is transparent to the public (including whether meetings should be recorded or transcribed).
- How “consensus” should be defined.
Comments will be due 20 days after the notice is published in the Federal Register.