The Internet Policy Task Force (“Task Force”) of the Department of Commerce (“DOC”) issued its green paper on commercial data privacy, entitled “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework” on December 16, 2010. The report sets forth the Task Force’s proposed framework through which to assess current public policy governing commercial privacy. While the report does not express a commitment to specific policy proposals, it is intended to stimulate public discussion with the goal of identifying more specific proposals to be considered in a future white paper. Comments are due on January 28, 2011.
The framework is organized around five main recommendations:
- Adoption of a comprehensive set of FIPPs to protect the privacy of personal information in commercial contexts not covered by existing sectoral law.
- Recognize expanding interoperability between U.S. and international data privacy frameworks.
- Adherence to voluntary industry codes of conduct.
- Set a national standard for notifications following security breaches involving personal information in the commercial context.
- The report sets forth the following policy options for discussion:
Bolstering Consumer Trust Online Through 21st Century Fair Information Practice Principles. The report calls for comprehensive, baseline privacy rules based upon the FIPPs to protect commercial data in areas where it is unregulated by existing sectoral laws—namely, consumer data that is presently largely covered by a notice-and-choice regime. The report expresses no preference for the method of implementation, and mentions legislation, industry self-regulation, greater FTC enforcement of the existing framework, enhanced FTC rulemaking, or some combination of the above as possibilities.
The report pointed to the “enhanced notice” model that has been adopted by the online advertising industry as one example demonstrating that current commercial data privacy policies may be providing adequate incentives to industry to act voluntarily.
Advancing Consumer Privacy Through a Focus on Transparency, Purpose Specification, Use Limitation, and Auditing. The report calls for increased attention to substantive protections, both as part of, and separate from, the FIPPs-based rules it advocates adopting. For transparency, the report calls for privacy policies written in a way that stresses simplicity and clarity. It also suggests the use of privacy impact assessments (“PIAs”) in conjunction with privacy notices. PIAs would require organizations to identify and evaluate privacy risks arising from the use of personal information in new technologies or information practices, and to publish this information. They also have the benefit of inducing organizations to think through how their information systems comport with the FIPPs.
The report further seeks increased alignment between consumer expectations and actual information practices, mainly by focusing on two principles—purpose specification and use limitation—which would require an organization to disclose the specific reasons for which it collects information, and then limit the organization to these purposes. The report also calls for increased use of audits of actual data use compared to the stated purposes for which this data will be used.
Maintaining Dynamic Privacy Protections Through Voluntary, Enforceable, FTC-Approved Codes of Conduct. The report expresses concern over privacy practices that do not adapt fast enough, and recommends the adoption of voluntary, enforceable codes of conduct. The report is intentionally ambiguous about who would be writing these codes of conduct, and this ambiguity could be interpreted as calling for the DOC to be the primary author. In that scenario, these codes of conduct would simply amount to regulation by different means. The report cites the Self-Regulatory Code of Conduct adopted by the online behavioral advertising industry as the only positive example of this type of code. The report suggests multiple incentives for developing the codes, including increased encouragement (and enforcement) by the FTC and a safe harbor option for companies who adopt voluntary codes of conduct.
The report makes clear that the FTC will remain the federal government’s primary enforcer of consumer privacy protection for existing and new privacy legislation. But the report leaves the door open for increased enforcement by individual states as well.
Encourage Global Interoperability. In recognition of the obstacles that different international standards for data privacy impose on organizations, the report lists a number of recommendations made by respondents to the DOC Notice of Inquiry for encouraging greater harmony with the laws of other countries in this area. The report stops short of advocating any of these recommendations, and simply encourages greater attention to be paid to identifying and working towards greater international interoperability.
National Security Breach Notification. The report reiterates the frustration that industry feels by having to comply with a patchwork of state data breach notification laws and wants to consider what a national data breach notification law would look like. The report does not make any specific recommendations in this area.
Relationship Between a FIPPs-Based Commercial Data Privacy Framework and Existing Sector-Specific Privacy Regulation. The report also wants further study of what is both good and bad about sectorspecific privacy laws, such as HIPAA (health information) and GLB (financial information), and how a comprehensive, FIPPs based framework would interact with these laws.
Preemption of State Law. The report also does not make any recommendations regarding state preemption, and suggests that such preemption could range anywhere from being narrowly tailored to broadly sweeping. The report also seeks further input on the role of State Attorneys General to enforce a national FIPPs-based regime.
Electronic Surveillance and Commercial Information Privacy. The report advocates consideration of reform of the 1986 Electronic Communications Privacy Act in light of the rise of cloud computing and location-based services.