Insights

Today's Trends in Credit Regulation

Privacy Reform: The Department of Commerce Seeks the Leading Role with Chief Support from the FTC
By Alicia H. Tortarolo

As 2010 came to a close, both the United States Department of Commerce and the Federal Trade Commission released privacy initiatives that stand to reform both domestic policy and international engagement. The two distinct yet complimentary initiatives appear to embody corresponding goals to revisit, reinvigorate, and strengthen a decade’s worth of federal commercial data privacy policy, with a particular emphasis on finding a nexus between consumer trust and the flexibility for innovation to foster a growing economy in an ever-changing marketplace.

Department of Commerce Privacy Initiative

The United States Department of Commerce’s Internet Policy Task Force sets the stage for an ever-evolving privacy reform with the debut of a green paper entitled “Commerical Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework”.[1] While not endorsing specific legislation at this time, the Green Paper will assist with a closer examination of our current sectoral approach to privacy as well as stimulate further consideration of a perceived need for a stronger commercial data privacy framework.

The proposed Dynamic Privacy Framework sets forth the initial policy recommendations under four broad categories:

  • Enhance Consumer Trust Online Through Recognition of Revitalized Fair Information Practice Principles (FIPPs).

To address the potential for a continued deterioration in consumer trust and the consequential technological and economic decline, the Department recommends a clear set of principles, a “Privacy Bill of Rights,” to serve as the foundation of U.S. consumer data privacy that would promote increased transparency to better inform consumers of choices; align consumer expectations and information practices through purpose specifications and use limitations; and foster the development of verifiable evaluation and accountability programs. The Department does not purport to develop FIPPs that would conflict with existing sectoral laws and policies but rather principles that act in concert with these strong protections. The Department’s goal is to “seek to balance the desire to create uniformity and predictability across State jurisdictions with the desire to permit States the freedom to protect consumers and to regulate new concerns that arise from emerging technologies, should those developments create the need for additional protection under Federal law.”[2]

  • Encourage Developing Enforceable Privacy Codes of Conduct in Specific Sectors with Stakeholders; Create a Privacy Policy Office in the Department of Commerce.

The Department emphasizes that Revitalized FIPPs would serve as a baseline of privacy protection and, as such, some principles may replicate the existing uncertainty companies currently experience with privacy compliance. To allay the potential for uncertainty as well as to address emerging technologies and evolving issues not covered by baseline FIPPs, the Green Paper recommends supplemental voluntary, enforceable, FTC-Approved Codes of Conduct and even proposes a more formalized legislative safe harbor for a company’s adherence to the codes. In addition, the Green Paper recommends establishing a Privacy Policy Office (PPO) within the Department to act as the center of U.S. commercial data privacy expertise whose function would be to work with the FTC, the Executive Office of the President, and other Federal entities.[3] It is not recommended that the PPO have any enforcement authority but only to operate as a facilitator of sorts to leverage the expertise of both public and private-sector privacy representatives as collaborative resources to help develop these codes of conduct. Further, the proposed PPO would take a leading role, along with the FTC and industry, in consumer privacy education.

  • Encourage Global Interoperability.

The Department recommends the development of a U.S. framework that furthers the harmonization of global privacy laws. The Department encourages continued work by the federal government to increase cooperation among the global privacy community and, specifically, global privacy enforcement authorities to build a framework, e.g. trade commitment, for the mutual recognition of each others’ commercial data privacy systems and to build cross-border regulatory cooperation and international redress. This work should serve to decrease costs of global business, provide consistent protection worldwide, and contribute to economic growth.

  • Ensure Nationally Consistent Security Breach Notification Rules.

The Department encourages a comprehensive commercial data security breach framework based upon the effective existing state security breach notification laws and policies. The Department contemplates partial federal preemption in that it recommends permitting states to build upon the proposed comprehensive framework in limited ways.

Overall, the Green Paper will advance the Obama Administration’s commitment to Open Government-inspired consultation by calling upon public participation and collaboration to aid in the Administration’s contribution to domestic privacy policy and international engagement by developing a broad and dynamic commercial data privacy framework.[4] Accordingly, the Department of Commerce is soliciting public comment on several issues in an effort to “sharpen and refine the policy ideas” set out in the paper.[5] Of interest, the Department solicits comments on the level of preemption that should be afforded to the Dynamic Privacy Framework and the extent that State Attorneys General should be allowed to enforce the national framework. The deadline is January 31, 2011.

Federal Trade Commission Privacy Initiative

In December, the FTC issued a preliminary report entitled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework For Businesses and Policymakers” with the goal of guiding and informing policymakers, including Congress.[6]

The Report is the result of a series of privacy roundtables set up to explore the privacy issues and challenges associated with 21st century technology, innovation, and business practices and to decide how best to protect consumers in this regard. As a result of the roundtables, the FTC uncovered emerging themes in this space, as follows:

  • the ubiquitous collection and use of consumer data;
  • consumers’ lack of understanding and the ability to make informed choices about the collection and use of their data;
  • the importance of privacy to many consumers;
  • the significant benefits enabled by the increasing flow of information; and
  • the blurring of the distinction between personally identifiable information and supposedly anonymous or de-identified information.[7]

Based upon these themes, a re-examination of the FTC’s current notice-and-choice and harm-based enforcement models, and its rich enforcement experience, the FTC developed a Proposed Framework that applies “broadly to online and offline commercial entities that collect, maintain, share, or otherwise use consumer data that can be reasonably linked to a specific consumer, computer, or device.”[8] Consequently, it expands the scope beyond the traditional notions of personally identifiable information and governs all commercial entities regardless of whether there is direct consumer contact.

The Proposed Framework includes the following three high level principles designed to strike a balance between consumer privacy protection and technological innovation.

  • Privacy By Design.

Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services, such as data security, reasonable collection limits, sound retention practices, and data accuracy. Companies should maintain comprehensive data management procedures throughout the life cycle of their products and services.

  • Simplified Choice.

Companies should simplify consumer choice. Companies do not need to provide choice before collecting and using consumer data for commonly accepted practices, such as product fulfillment. For practices requiring choice, companies should offer the choice at a time and in a context in which the consumer is making a decision about his or her data.

  • Greater Transparency.

Companies should increase the transparency of their data practices. Privacy notices should be clearer, shorter, and more standardized, to enable better comprehension and comparison of privacy notices. Companies should provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of its use. Companies must provide prominent disclosures and obtain affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected. All stakeholders should work to educate consumers about commercial data privacy practices.[9]

The Report includes an insightful discussion of the evolution of consumer privacy at the FTC, as well as thoughtful recommendations that unveil an aggressive stance that would reform consumer privacy on many levels. Perhaps the most controversial item is the FTC’s support of a more uniform and comprehensive consumer choice mechanism for behavioral advertising, also referred to as “Do Not Track”.[10] The FTC is soliciting comment on all aspects of the Proposed Framework. The deadline is February 18, 2011.

Conclusion

The Department of Commerce clearly outlines its leading role as the U.S. Chief Privacy Officer, so to speak, but does not attempt to prescribe material or substantive specificity to what we may expect from the recommended FIPPs or Enforceable Privacy Codes of Conduct in its Green Paper. However, it does maintain that the FTC should remain the lead consumer privacy enforcement agency for the U.S. government and, in my mind, seemingly compliments the FTC’s privacy initiative. And, though it does not recommend FIPPs, the FTC appears to support the same high level principles to which the Department’s Revitalized FIPPs or proposed Codes of Conduct may address and its report does so in a more specific and substantive fashion. Both positions align with the notion that self regulation without more is not enough. Taken together, these two privacy initiatives provide us with a sneak peak at the premiere of privacy reform.

Alicia H. Tortarolo is a partner in the California office of Hudson Cook, LLP. Alicia can be reached at 714-263-0425 or by email at atortarolo@hudco.com.

[1]See http://www.ntia.doc.gov/internetpolicytaskforce/
(“Green Paper”).

[2]Green Paper, page 61.

[3]Green Paper, page 44.

[4}Green Paper, page 69.

[5]Green Paper, Introduction, page vii.

[6]See http://www.ftc.gov/os/2010/12/101201privacyreport.pdf (“FTC Report”)

[7]FTC Report, Executive Summary, page iv.

[8]FTC Report, page 42.

[9]FTC Report, page 41.

[10] See FTC Report, pgs 63-69.

Article Archive

2022   2021   2020   2019   2018   2017   2016   2015   2014   2013   2012   2011   2010   2009