Last week the National Telecommunications and Information Administration (NTIA) published a Request for Comment (RFC) to solicit ideas on a federal privacy framework. As part of this RFC, the Trump administration laid out the outcomes it wishes to see and its goals for federal action. Upon initial analysis, all the right issues are on the table and the administration acknowledges that many of the tools we’ve used in the past – like box-checking notice and consent models – have not always served us well. But one big piece is missing: endorsing a legislative floor that prohibits exploitive and intrusive data collection and use.
Privacy Outcomes. NTIA endorses a number of privacy outcomes that are represented in longstanding U.S. and international policy. Drawing on the Fair Information Practices and Principles and international frameworks like the GDPR, the administration embraces (1) transparency, (2) control, (3) reasonable minimization, (4) security, (5) access and correction, (6) risk management, and (7) accountability. The administration also clarifies that it views all of these principles through a risk management framework and requests that a national framework “refocus on the outcomes of organizational practices, rather than on dictating what those practices should be.”
There are two things of note in this section. First is the acknowledgment that the notice-and-consent model of protecting privacy may not be sufficient. The administration notes that “relying on user intervention may be insufficient to manage privacy risks” and that products and services must be “inherently designed with appropriate privacy protections.” Nothing could be more true. No amount of notice and consent or “user control” will be sufficient to protect consumers if technologies are designed in ways that undermine privacy. Second is the administration’s inclination to leave corporations in charge of deciding what are reasonable and context-appropriate uses of data. This is more complicated. Unfettered discretion has led to significant privacy failures (including Cambridge Analytica, Strava, and Grindr) and our way forward cannot be doubling down on that model. A flexible risk management approach must be undergirded by a privacy floor that systemically addresses the most offensive behavior.
For example, CDT believes the collection of detailed location information must only happen when a consumer has purposely opted into a service that requires this type of information, and there should be a strong legal presumption that location information won’t be shared or used for other purposes. These types of guardrails should exist for other sensitive practices like identification using biometrics, the collection of information on children and individual health, and targeting based on protected classes like race or religion.
Federal Action. The NTIA RFC also discusses how a privacy framework should operate procedurally and interact with existing laws. NTIA proposes the preemption of state privacy laws, application to all non-regulated entities, consistency with the GDPR, fair treatment for small businesses, and for the FTC to remain responsible for privacy. Most of this section is not controversial, and decision makers and commenters are outright presuming that many of these principles will be included. Preemption of state law, however, will remain a third rail throughout this process and undoubtedly be subject to debate until the ink dries on a federal law. Notably, preemption cannot happen without a federal law, so the administration is effectively calling for Congressional action.
Next Steps. Comments are due Oct. 26, and the RFC requests proposals on how the administration should move forward on many different issues. It of course asks whether these outcomes and actions are the right ones, but also what executive actions like procurement should be used to encourage these outcomes or whether statutory changes are needed. Almost sheepishly, it asks whether the U.S. can regain its leadership in tech policy.
CDT will file comments recommending strong federal privacy legislation that creates a clear, targeted, and enforceable baseline in the U.S. This would not only good for consumers, but would be the only way for the U.S. to attempt to reclaim its leadership role in this policy space. It also would be the only way to bring the third of Americans who have reduced their online activity – according to NTIA’s own data – back into the fold. It is going to take an extraordinary amount of work, but failing to pass federal privacy legislation will waste this unique opportunity.