- The Trump Administration recently announced plans to establish U.S. consumer privacy standards in response to a series of high-profile privacy breaches.
- Two federal agencies – National Institute of Standards and Technology (NIST) and National Telecommunications and Information Administration (NTIA) – are working collaboratively with the public and private sectors to develop voluntary frameworks for privacy.
- All organizations that collect, store or sell consumer data are encouraged to engage with NIST, NTIA and Congress to provide input on the development of a U.S. privacy standard.
The Trump Administration, on Sept. 4, 2018, formally announced its plans to establish U.S. consumer privacy standards. Two federal agencies within the U.S. Department of Commerce – National Institute of Standards and Technology (NIST) and National Telecommunications and Information Administration (NTIA) – are working collaboratively with the public and private sectors to develop voluntary frameworks for privacy. The development of U.S. federal privacy standards follows global efforts to enforce privacy protections including the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and responses to a series of widely publicized cybersecurity attacks which resulted in hundreds of millions of U.S. consumers data being compromised. Congress is also considering a legislative response to establish statutory consumer privacy rights and remedies for violations. Initial industry response has been supportive of creating one federal consumer privacy standard, but there is angst over where that standard will draw the line. All organizations and companies that collect, store or sell consumer data should engage with NIST, NTIA and Congress to provide input on the development of a U.S. privacy standard.
Factors Prompting New Push for Privacy Laws and Regulations
The Trump Administration's decision to establish federal data privacy standards began several months ago following a series of high-profile cybersecurity breaches.
Stringent privacy laws have been adopted by numerous countries and some individual states in the U.S. In Europe, privacy is viewed as a human right which resulted in the EU enacting GDPR in 2016 a sweeping new privacy regulation that gives consumers the right to control their personal information and sets penalties for companies that violate a consumer's privacy. In June 2018, California enacted CCPA, the first privacy law of its kind in the U.S. that in some cases goes beyond GDPR. Further, all 50 states and the District of Columbia have enacted data breach notification laws. The Federal Trade Commission (FTC), as well as banking, financial and healthcare regulators, currently enforce alleged violations of consumer privacy and the resulting impact of a data breach.
These broad, and often conflicting, privacy and breach notification laws and regulations have created a patchwork of standards regulating the collection, storage and use of personal data, making compliance even more difficult for global organizations. The creation of voluntary privacy standards is intended to be a first step toward a more uniform approach to consumer privacy in the U.S.
NIST Privacy Framework
NIST has a long and well-respected history of working collaboratively with the public and private sectors to create technical standards. In 2013, NIST was tasked with the creation of the Cybersecurity Framework (Framework) as a result of White House Executive Order 13636. During the initial rounds of drafts, privacy language was included but was subsequently removed before the first draft of the Framework was issued in 2014. The Framework has been cited and analyzed in litigation, and is used as a basis for cybersecurity practices by numerous industries and companies.
NIST intends to use a similar approach to develop the Privacy Framework as a tool to better identify, assess, manage and communicate privacy risks. NIST will begin its public engagement by holding a series of public workshops to discuss ways that the Privacy Framework can meet organizations' needs to better protect personal information. The first workshop will be Oct. 16, 2018, from 2:30 to 5:30 p.m. in Austin, Texas. A recording of the workshop will be posted here shortly after the event. NIST has announced plans to integrate these discussions into an annotated outline of the Privacy Framework. Prior to the workshop, NIST will post pre-read materials on the Privacy Framework website. NIST also plans to hold a live webinar on the Framework in November 2018, though a specific date has not been released. Attending these workshops in person and/or providing well-tailored comments can benefit companies looking to develop or improve their data privacy practices.
NTIA Privacy Principles
Under the umbrella of the U.S. Department of Commerce's Internet Policy Task Force, NTIA, NIST and selected other agencies, including the International Trade Administration (ITA) and the U.S. Patent and Trademark Office (PTO), look at key policy issues around issues in the "internet economy." A 2017 NTIA survey indicated that nearly three-quarters of internet-using households had significant concerns about privacy and security risks, such as identity theft or loss of control over personal information. These efforts are all part of broader effort to establish Privacy Principles – a "domestic legal and policy approach for consumer privacy." The Principles will be published with a request for comment.
NTIA has been holding stakeholder meetings on a rolling bases to identify common ground and formulate core, high-level principles on data privacy. In July 2018, NTIA held a listing session with three dozen or so tech industry representatives and discussed "how to best protect personal privacy while also responding to consumer demand for innovative products and services." International Trade Administration and NIST officials also took part.
NTIA has also been involved in the development of privacy principles through its multistakeholder privacy best practice process on a variety of issues, including unmanned aircraft systems, facial recognition technology and mobile application transparency.
Possible Congressional Action on Federal Data Breach Law
As NIST and NTIA continue work on the creation of voluntary consumer privacy standards, Congress may act in the interim to establish mandatory data breach notification and consumer privacy requirements. Congress has held numerous hearings on cybersecurity risks and the need for increased consumer privacy protections over the course of 2017-2018, including with major technology companies that collect, store or resell consumer personal information. A host of bills have been introduced which would focus on varying requirements and enforcement authorities. One such bill introduced by Sens. Amy Klobuchar (D-Minn.) and John Kennedy (R-La.) on April 23, 2018, S. 2728, the "Social Media Privacy Protection and Consumer Rights Act of 2018," would establish new consumer privacy rights when they participate in an online platform that collects personal data during the online behavior of its users.
The Senate Commerce Committee has scheduled a hearing, Examining Safeguards for Consumer Data Privacy, that will include a number of the largest U.S. tech companies. The hearing on Sept. 26, 2018, will inform the development of federal online privacy legislation by a bipartisan group of four Senate Commerce Committee members – Sens. Jerry Moran (R-Kan.), Roger Wicker (R-Miss.), Richard Blumenthal (D-Conn.) and Brian Schatz (D-Hawaii) – who are reported to be negotiating a potential online privacy bill. Commerce Committee Chairman John Thune (R-S.D.) has also expressed an interest in developing his own online privacy proposal.
Over the course of the last year, a host of prominent organizations and trade associations have expressed support for Congress enacting a federal data breach pre-emption bill with others supporting specific privacy standards. On Sept. 6, 2018, the U.S. Chamber of Commerce released its own Privacy Principles and has expressed its commitment to "continue working with lawmakers and industry stakeholders with the goal of advancing privacy legislation." On Sept. 12, 2018, the Internet Association released a set of Privacy Principles and has committed "to working with Congress to develop a national approach to privacy that provides people with transparency and trust, while still allowing companies to innovate and develop products people love." On the same day, BSA | The Software Alliance released a Privacy Framework and urged Congress "to support a user-centric approach to privacy that will provide consumers with mechanisms to control their personal data."
The effort by NIST and NTIA to work collaboratively with the public and private sectors to create a commonly accepted consumer privacy standard-setting process as well as the efforts by Congress to take action are signals that there is momentum to create a national consumer privacy framework in the United States. As the legislative and executive branches develop privacy solutions, there are ample opportunities for organizations to engage in order to ensure these privacy standards are reflective of the nuances of varying organizations.