December 16, 2018

December 14, 2018

Subscribe to Latest Legal News and Analysis

NTIA Publishes Stakeholder Comments on Consumer Privacy Proposal

Last week, the National Telecommunications and Information Administration (“NTIA”) released submissions it had received from the Federal Trade Commission (“FTC”) staff and many other parties on NTIA’s proposed framework for advancing consumer privacy while protecting innovation.  Although NTIA did not request comments on a possible federal privacy bill, most submissions took the opportunity to inform NTIA of what such a federal privacy bill should look like.

In its comments, FTC staff focused on four major themes: transparency, control, enforcement, and security.  With respect to transparency, it suggested privacy policies—while valuable, because they help enforcers “hold companies to their promises”—should more closely align with “consumer demand for information” and avoid “ legalese” or “bloat.”  And with respect to consumer control over personal data, FTC staff supported a balanced approach.  In certain situations, it suggested, companies need not obtain explicit consent from consumers in order to collect and process their data, as when websites “collect click-through rates” or retailers “collect and disclose de-identified data.”  But consent obligations would be triggered if companies wanted to collect sensitive data or use data in ways materially inconsistent with original representations.

The European Commission generally supported the NTIA’s proposal but stressed that privacy protections must be grounded in legislation.  Moreover, the European Commission urged NTIA to expand its proposal.  For instance, it argued that companies should not be able to process consumer data without a lawful basis for doing so—an idea that is at the core of the European Union’s General Data Protection Regulation (“GDPR”).  The European Commission also urged NTIA to add specific protections for “sensitive data” and a requirement to report data security breaches.  These principles, it stated, already are codified in the EU-US Privacy Shield.  The European Commission also urged NTIA to go beyond the right to access and correct data, and to provide safeguards against biased algorithms.

Several key themes emerged in submissions from industry associations such as the U.S. Chamber of Commerce and the American Advertising Federation.  These groups urged passage of a federal privacy law that would preempt state laws—including state data-breach notification laws—and promote international data transfers.  New legislation should be technology-neutral, they stressed, although special accommodations may be appropriate for smaller companies.  The law’s requirements also should be flexible—these groups generally supported the NTIA’s “risk-based” approach—such that the rights of consumers and obligations of companies would depend on context.  And these industry associations stressed that the FTC should remain the country’s primary privacy enforcer; consumers, they maintained, should not have a private right of action.  Several groups also noted that data minimization requirements should not hamper efforts to advance AI and machine learning, which depend on the collection and analysis of “Big Data.”

Consumer groups, on the other hand, were generally critical of the NTIA’s proposed “risk-based approach.”  Some supported an “opt in” consumer consent model and argued that consumers should have private rights of action under any new statute.  The Electronic Privacy Information Center perhaps went the furthest on enforcement, suggesting that FTC enforcement has been inadequate and that a new statute should create a new federal privacy agency.

All of the comments submitted last week can be accessed here.

© 2018 Covington & Burling LLP

TRENDING LEGAL ANALYSIS


About this Author

Repeatedly ranked as having one of the best privacy practices in the world, Covington combines exceptional substantive expertise with an unrivaled understanding of the IT industry, and of e-commerce and digital media business models in particular.  Our practice provides exceptional coverage of all of the substantive areas of privacy, including IT/technology, data security, financial privacy, health privacy, employment privacy, litigation and transactions.  One of our core strengths is the ability to advise clients on relevant privacy and data security rules worldwide,...

202.662.5519