Envisioning a Federal Baseline Privacy Framework
Privacy protection in the United States is characterized by multiple sector-specific privacy laws, with backstop enforcement carried out through the Federal Trade Commission (“FTC”)’s authority to police unfair and deceptive acts and practices. In recent months, public attention on the subject of data protection, pressures from foreign privacy frameworks such as the GDPR, and the danger of a patchwork of divergent and unworkable state privacy laws emerging have raised questions about the continued suitability of the current federal approach to privacy. In response, numerous industry groups, policy makers, and consumer advocacy organizations have called for the development of federal baseline privacy legislation that sets consistent rules for the treatment of consumer data to promote a trustworthy and sustainable digital economy. This week, the House Energy & Commerce Subcommittee on Consumer Protection and Commerce will hold a hearing on Protecting Consumer Privacy in the Era of Big Data, and the Senate Commerce Committee will hold a hearing titled Policy Principles for a Federal Data Privacy Framework in the United States to inform Congressional efforts to enact a modern federal baseline privacy law.
Industry organizations and companies are united in backing strong and consistent principles for the protection of consumer information that safeguard data and enable internet services, American innovation, and socially beneficial data practices. Many of these groups have drafted model privacy principles and legislative proposals to support these shared goals and aid in the creation of a federal baseline privacy framework. Among these companies and organizations are Business Roundtable (“BRT”), Business Software Alliance (“BSA”), Computer and Communications Industry Association (“CCIA”), Google, Information Technology Industry Council (“ITI”), Intel, the Internet Association (“IA”), and the U.S. Chamber of Commerce. This blog post identifies and describes some of the commonly recurring themes of these industry frameworks for federal privacy legislation.¹ A more in-depth look into recurring principles in these frameworks can be found here.
1. Broad Scope
A fundamental question for these industry proposals is determining what types of organizations should be covered under a new federal privacy framework. While a series of sector-specific privacy laws already exists in the U.S., this status quo can create gaps in coverage. Thus, the commonly held view is that federal baseline privacy legislation should broadly encompass all organizations, regardless of sector or size (though in some frameworks very small organizations are excluded). As ITI states, a federal privacy framework should take “a robust, technology and business model-neutral approach for the protection of privacy and personal data that advances the interests of all stakeholders, including consumers, businesses, individuals, and governments.” IA further elaborates that such a framework “should be both technology neutral (no specific technology mandates) and sector neutral (applying to online and offline companies alike).”
2. Properly Defining Personal Information
Another foundational matter that these privacy frameworks address is precisely defining what “personal information” should be subject to federal privacy requirements. Without an accurate description of what “personal” information or data is, it would be easy to inadvertently cover information that isn’t really private and therefore should not be subject to regulation. CCIA defines personal information or data to include “any data under the control of a covered organization, that is not de-identified or otherwise generally available to the public through lawful means, and is linked or practically linkable to a specific individual, or linked to a specific device or account that is associated with or routinely used by an individual.” ITI further elaborates on the definition by identifying exclusions, specifying that “data that is anonymized, pseudonymized and protected, or otherwise publicly available is not personal data.”
Transparency is essential to building and maintaining consumer trust, and providing consumers with a basis for more meaningful choice and control over their data. Industry groups support a requirement for organizations to provide notice and make publicly available disclosures about what they are doing with users’ personal data, including the types of personal information they collect, why they collect it, and how they use or share it. For example, the Business Roundtable says that “consumers should have reasonable access to clear, understandable statements about the organization’s practices and policies with respect to personal data, including: information on the types of personal data collected; the purposes for which the personal data will be used; whether and for what purposes personal data may be disclosed or transferred to non-affiliated third parties” among other categories of disclosures.
4. Consumer Choice
Another common theme between the privacy principles is the need to empower consumers in exercising choice over the collection and use of their personal information. The frameworks broadly support giving individuals the ability to object to data processing, while recognizing certain exceptions such as data processing necessary to provide a service, or to protect information systems. Several organizations support heightened consent standards in the context of collecting or processing sensitive personal information, such as health care information or precise geolocation data. For example, ITI states that “individuals should have the right to expressly and affirmatively consent to the use of their sensitive personal data” unless certain exceptions applied.
5. Meaningful Consumer Controls
Industry groups have identified a consistent set of rights through which consumers can exercise control over their personal information. These include the rights to have reasonable access to personal information that consumers provide to an organization, the ability to correct that information, and the ability to request the deletion of that information subject to certain necessary exceptions. Some groups go further and support a right to data portability – the ability to make personal information provided to an organization available to export in a machine-readable format where doing so would not implicate the personal information of others. For example, Google has stated that data portability would empower individuals, as well as keep markets innovative, competitive, and open to new entrants.
6. Data Security
Although the present national conversation revolves around a federal privacy law, industry players recognize that it is impossible to have privacy without also having security. Therefore, multiple groups state that any comprehensive privacy framework should contain requirements for the reasonable protection of consumer information. However, given that appropriate data security depends on a variety of factors such as the sensitivity of the data at issue, and best practices and technology for cybersecurity are constantly evolving, groups such as the Chamber of Commerce state that security requirements should be risk-based and that “companies should have flexibility in determining reasonable security practices.”
Unfortunately, no system can ever be one-hundred percent secure. If a breach of personal information does occur, industry groups such as ITI state that affected individuals should be notified in “a timely manner if a breach of their personal data triggers a risk of concrete and measurable harm to them or their rights.” Several organizations, including CCIA, the Business Roundtable, and IA have called for a standardized federal breach notification requirement that replaces the current 50-state patchwork of breach notification statutes, as national harmonization would provide consistency for both individuals and companies alike.
The burden of regulations that contain overly prescriptive, inflexible requirements can fall disproportionately hard on small and medium-sized firms. As a result, regulation can have the effect of strengthening the market position of companies with sophisticated compliance teams and could chill new investment, innovation, and market entry. Due to this dynamic, several industry groups have called for scalable, technology-neutral, outcome-oriented requirements that take the size and complexity of different organizations into account. For example, CCIA states that “context, including an organization’s scale and resources, the sensitivity of the data it holds, and its uses for that data, should inform the measures that it puts in place to protect data.”
8. Federal Preemption
A federal baseline privacy law should ensure that consumers can expect consistent privacy protections for their information throughout the digital economy. In order to achieve this, the law should preempt substantially overlapping state laws related to consumer privacy that could create a highly burdensome and discongruent regulatory environment. Federal preemption should be carefully crafted so as not to be overinclusive or underinclusive. Intel’s draft bill takes a sophisticated approach, preempting civil provisions of state law “to the degree they are focused on the reduction of privacy risk through the regulation of personal data collection and processing activities” while explicitly excluding other state laws such as consumer protection, constitutional, trespass, contract, fraud, and tort that are not substantially intended to govern personal data collection or processing.
The proposed privacy frameworks also include provisions to hold organizations accountable for complying with their privacy and security obligations and for enabling consumers to exercise reasonable choice and controls. Accountability can take numerous forms and be carried out in different ways. For example, according to BSA, “organizations should develop policies and procedures that provides the safeguards outlined in [their] framework, including designating persons to coordinate programs implementing these safeguards and providing employee training and management; regularly monitor and assess the implementation of those programs; and, where necessary, adjust practices to address issues as they arise.” ITI stresses that “companies should maintain records pertaining to risk assessments and security programs so that they are auditable by the designated authority in the event of an incident.” Several industry groups also state that companies should be accountable for ensuring that any third parties who receive data meet the same privacy and security requirements as the original data controller.
10. Enforcement through the Federal Trade Commission
There is widespread agreement throughout industry groups that the FTC should be the primary enforcement authority over any new federal baseline privacy law. The FTC, in comparison to other agencies, has by far the most experience in managing and navigating privacy violations, by virtue of its authority to police unfair and deceptive acts and practices and having been vested with the power to enforce various sector-specific laws. In the past decade, the FTC has brought over 100 privacy enforcement actions pursuant to these powers, curing bad practices and levying civil fines against repeat offenders. Multiple stakeholders including Intel, CCIA, and IA also believe that the FTC’s authority should be supplemented by the ability for state Attorneys General to carry out enforcement where the FTC has declined to act.
¹ This blog post seeks to identify common themes in prominent industry privacy proposals. As such, it does not comprehensively summarize all the elements of any single legislative proposal.