On November 13, 2018, the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) released comments it received from over 200 government, non-profit, academic, and private sector organizations on developing the Administration’s approach to consumer privacy.[1]

Since September, the NTIA has sought public comments to specifically address a number of questions that focused on the outcomes, goals, risks, and implementation of its proposed high-level framework for consumer privacy protection. The Administration’s framework articulated a set of organizational practices focused on data transparency, minimization of collection, the storage, use, and sharing of data, security, and risk management, in addition to broader goals to reconcile a disparate regulatory patchwork and ensure that resources for privacy protections and enforcement are properly allocated. If a few of these concepts sound familiar, it’s because they loosely mirror elements of existing privacy frameworks established at the industry, state, and international levels, and the sources and arbiters of those frameworks took this opportunity to urge the Administration to follow these examples more closely. As the Executive Branch agency principally responsible by law for advising the president on information policy issues, the goal of the NTIA’s request for comment is to inform the Administration’s approach to consumer privacy. As such, the Administration’s consideration and reaction to the comments received is likely to affect future discussions and proposals in the ongoing debate regarding federal privacy legislation. As expected, many of the comments are framed against the backdrop of recent, related changes in law, with particular focus on the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Here, we summarize some of the significant comments and proposals received by the NTIA.

The European Commission and the FTC

The European Commission (the EUC) hoped the Administration would gain some perspective from its own recent privacy overhaul in the form of the GDPR and submitted comments that supported the Administration’s goal of better integration and reconciliation of disparate privacy laws at both a national and global level, research incentivization, and risk-based approaches, but suggested that the Trump Administration strive toward “similar solutions” to the EU’s privacy rules.[2] This sentiment has recently been debated in the private sector, as tech industry leaders have alternatively praised and criticized the GDPR in their own discussions of what a comprehensive U.S. federal privacy law (a concept that most agree upon in theory, but not on the practical details) should look like.[3]

The EUC’s comments also stressed the importance of levelling the legal landscape and making privacy law less of a patchwork to give organizations and consumers more certainty in their compliance and protections, respectively. They emphasized that increased control over an individual’s own data (through the inclusion of individual rights with respected access, correction, explanation for automated decisions, and redress) could engender trust and increase data sharing by customers. In terms of the core principles of data protection, the EUC recognized that the Administration is on the right track in its acknowledgement of the need for security, transparency, accountability and data minimization, but recommended that additional principles receive attention. Two such principles identified by the EUC were: requiring consent or other lawful bases to process data; and specifying a purpose for data processing. Beyond the core principles, the EUC also noted that in order for any approach to be effective, it would need to be enforced by an authority with sufficient resources and enforcement authority. In that regard, the EUC recommended strengthening FTC authority. Likewise, the FTC’s own comments seconded the notion of strengthening FTC authority through a “call that Congress consider legislation that clarifies the FTC’s authority”.[4] The FTC also noted that that it “strongly supports” federal privacy legislation.[5]

Both the FTC and the EUC touched on the importance of breach notification laws, but the EUC further suggested that unification of breach notification requirements through federal legislation would be superior to the current patchwork of state data breach notification laws and the consequent disparate standards.[6] Also of note with regard to the state versus federal privacy framework debate, Californians for Consumer Privacy (the chief proponent of the CCPA, which shares some similarities with the GDPR[7]) also provided comments.

Californians for Consumer Privacy (CCP)

CCP framed their comments using the CCPA as a backdrop to highlight touchpoints similar to those discussed by the EUC. In particular, the CCP comments articulated three principles of the CCPA that could be used to guide the Administration’s approach: (i) transparency (the right for consumers to know what information is being collected); (ii) control (the right for consumers to “say no” and prevent a corporation from selling or sharing their information); and (iii) accountability (ensuring that corporations take data security seriously and safeguard personal information from theft).[8] However, the CCP also identified what it characterized as “major differences” between the CCPA and GDPR and stressed that those differences should be considered in regard to “other countries’ replications of NTIA’s future outcomes…and their potential interaction with the exchange of goods and services…”[9] Specifically, the comments highlighted the CCPA’s gross revenue and data processing thresholds for applicability, as opposed to the GDPR’s applicability to “all entities of any size”, and the GDPR’s requirement to obtain user consent for any data processing (as opposed to the CCPA’s option for consumers to restrict the sale of their information after processing).

Many of the commenters applauded the Administration for taking this initial step, but noted that they await a more fleshed out proposal as its approach develops going forward. The principles articulated and the legal sources drawn upon give some indication as to where U.S. federal privacy law could land, but the particulars remain to be seen in both cases. While a number of the comments set forth common themes (for example, federal unification of data security standards), a great deal of ground remains to be covered before a generally applicable federal privacy law is likely to be adopted.