The Internet Policy Task Force (“Task Force”) of the Department of Commerce (“DOC”) issued its green paper on commercial data privacy, entitled “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework” on December 16, 2010. The report sets forth the Task Force’s proposed framework through which to assess current public policy governing commercial privacy. While the report does not express a commitment to specific policy proposals, it is intended to stimulate public discussion with the goal of identifying more specific proposals to be considered in a future white paper. Comments are due on January 28, 2011.

In general, the report reviews the current status of policy related to commercial data privacy and calls for strengthening the U.S. commercial data privacy framework, especially in the areas of ensuring transparency and informed consent for consumers, while providing guidance to businesses and clarifying the U.S. approach to commercial data privacy. It expresses support for voluntary, enforceable codes of conduct to address emerging technologies and issues not covered by the current application of the Fair Information Practice Principles (“FIPPs”). It also stresses the importance of not hampering the innovation, customer service, and use of new technologies that are a hallmark of online commerce in the U.S. In addition, the report calls for the creation of a Privacy Policy Office within the DOC. The report introduces its proposals as a “Dynamic Privacy Framework.” The following is a summary of the key themes from the report.

The framework is organized around five main recommendations:  

  1. Adoption of a comprehensive set of FIPPs to protect the privacy of personal information in commercial contexts not covered by existing sectoral law.
  2. Recognize expanding interoperability between U.S. and international data privacy frameworks.
  3. Adherence to voluntary industry codes of conduct.
  4. Creation of a new privacy policy office within DOC to focus on commercial data privacy.
  5. Set a national standard for notifications following security breaches involving personal information in the commercial context.
  6. The report sets forth the following policy options for discussion:

Bolstering Consumer Trust Online Through 21st Century Fair Information Practice Principles. The report calls for comprehensive, baseline privacy rules based upon the FIPPs to protect commercial data in areas where it is unregulated by existing sectoral laws—namely, consumer data that is presently largely covered by a notice-and-choice regime. The report expresses no preference for the method of implementation, and mentions legislation, industry self-regulation, greater FTC enforcement of the existing framework, enhanced FTC rulemaking, or some combination of the above as possibilities.

The report pointed to the “enhanced notice” model that has been adopted by the online advertising industry as one example demonstrating that current commercial data privacy policies may be providing adequate incentives to industry to act voluntarily.

Advancing Consumer Privacy Through a Focus on Transparency, Purpose Specification, Use Limitation, and Auditing. The report calls for increased attention to substantive protections, both as part of, and separate from, the FIPPs-based rules it advocates adopting. For transparency, the report calls for privacy policies written in a way that stresses simplicity and clarity. It also suggests the use of privacy impact assessments (“PIAs”) in conjunction with privacy notices. PIAs would require organizations to identify and evaluate privacy risks arising from the use of personal information in new technologies or information practices, and to publish this information. They also have the benefit of inducing organizations to think through how their information systems comport with the FIPPs.

The report further seeks increased alignment between consumer expectations and actual information practices, mainly by focusing on two principles—purpose specification and use limitation—which would require an organization to disclose the specific reasons for which it collects information, and then limit the organization to these purposes. The report also calls for increased use of audits of actual data use compared to the stated purposes for which this data will be used.

Maintaining Dynamic Privacy Protections Through Voluntary, Enforceable, FTC-Approved Codes of Conduct. The report expresses concern over privacy practices that do not adapt fast enough, and recommends the adoption of voluntary, enforceable codes of conduct. The report is intentionally ambiguous about who would be writing these codes of conduct, and this ambiguity could be interpreted as calling for the DOC to be the primary author. In that scenario, these codes of conduct would simply amount to regulation by different means. The report cites the Self-Regulatory Code of Conduct adopted by the online behavioral advertising industry as the only positive example of this type of code. The report suggests multiple incentives for developing the codes, including increased encouragement (and enforcement) by the FTC and a safe harbor option for companies who adopt voluntary codes of conduct.

The report also sets out a proposal for creating a “Privacy Policy Office” (“PPO”) within DOC. It proposes that the PPO work with the FTC to identify areas where new industry privacy codes are needed to implement the FIPPs, and envisions this office as being able to respond quickly to new technologies and to assist industry with developing guidelines for voluntary, enforceable commercial data privacy codes. It envisions that this office will work with the Executive Branch and a number of other government agencies as well as with privacy officers in the private sector.

The report makes clear that the FTC will remain the federal government’s primary enforcer of consumer privacy protection for existing and new privacy legislation. But the report leaves the door open for increased enforcement by individual states as well.

Encourage Global Interoperability. In recognition of the obstacles that different international standards for data privacy impose on organizations, the report lists a number of recommendations made by respondents to the DOC Notice of Inquiry for encouraging greater harmony with the laws of other countries in this area. The report stops short of advocating any of these recommendations, and simply encourages greater attention to be paid to identifying and working towards greater international interoperability.

National Security Breach Notification. The report reiterates the frustration that industry feels by having to comply with a patchwork of state data breach notification laws and wants to consider what a national data breach notification law would look like. The report does not make any specific recommendations in this area.

Relationship Between a FIPPs-Based Commercial Data Privacy Framework and Existing Sector-Specific Privacy Regulation. The report also wants further study of what is both good and bad about sectorspecific privacy laws, such as HIPAA (health information) and GLB (financial information), and how a comprehensive, FIPPs based framework would interact with these laws.

Preemption of State Law. The report also does not make any recommendations regarding state preemption, and suggests that such preemption could range anywhere from being narrowly tailored to broadly sweeping. The report also seeks further input on the role of State Attorneys General to enforce a national FIPPs-based regime.

Electronic Surveillance and Commercial Information Privacy. The report advocates consideration of reform of the 1986 Electronic Communications Privacy Act in light of the rise of cloud computing and location-based services.