The increased role of data collection and analysis in modern economies along with the growth of emerging technologies such as highly automated vehicles and unmanned aircraft systems bring privacy concerns to the forefront—particularly regarding the proper role of government intervention. NTIA’s stated justification for the need to expand federal policymaking on consumer privacy protections is, at least in part, driven by international and domestic efforts to enact more stringent privacy and data protection regimes—such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018. The agency notes that these “distinct visions for how to address privacy concerns [lead] to a nationally and globally fragmented regulatory landscape” with the potential to reduce economic growth and innovation in the data sharing economy.
It is, therefore, reasonable that the agency is taking steps to minimize the costs of a patchwork of disparate privacy regimes. Nonetheless, the agency’s list of outcomes that “should be produced by any Federal actions on consumer privacy” is not an appropriate framework for regulation. The list implies that regulation to increase privacy protections in each category would—by design— generate better outcomes for the public. My own research on privacy controls identifies a broad base of evidence that consumers enjoy substantial benefits by gaining access to online content and other services in exchange for allowing use of their data; in contrast, there is little evidence that this exchange results in costly harms to consumer that outweigh these benefits (i.e., possibly presenting a compelling public need that might suggest the use of regulation). Consequently, it is not accurate to presume that NTIA’s list of outcomes will necessarily produce net beneficial results for the public.
This comment proposes the following recommendations for NTIA to consider:
1. Privacy regulation should be based on evidence that regulation will actually advance privacy outcomes in ways that consumers value. Evidence-based regulation (EBR)— successful implementation of evidence-enhancing strategies—is a more appropriate framework to guide regulatory decisions.
2. The benefit of regulating consumer privacy should exceed the social cost—including costs consumers will bear as a result of regulation.
3. Further research should focus on generating useful empirical estimates of the benefits and costs of privacy controls.
Background on Interagency Policy Task Force—Privacy Initiative
NTIA Proposed Privacy Outcomes
The agency proposes several “principle-based approaches” to privacy, stating that it intends to avoid overly-prescriptive policies that “stymy innovating privacy solutions [while] not necessarily providing measurable privacy benefits.” It is worth noting that NTIA’s list of broadly-defined, normative privacy principles closely parallels several of the elements of the EU’s GDPR regulation—albeit with less specificity or proposed stringency regarding penalties (i.e., fines for noncompliance).
Transparency. Users should be provided the opportunity to give informed consent in such a way that they understand the manner in which entities are collecting, storing, and using their personally identifiable information (PII).
Control. Consumers should have some measure of control over the collection, storage, and use of their data.
Reasonable Minimization. “Collection, storage, length, use, and sharing by organizations should be minimized in a manner and to an extent that is reasonable and appropriate to the context and risk of privacy harm.”
Security. “Organizations…should employ security safeguards to secure these data [PII]. In short, users should have a reasonable expectation that their PII are protected from unauthorized access, destruction, etc.
Access and Correction. Users should have “reasonable [ability] to access personal data that they have provided, and to rectify, complete, amend, or delete this data.”
Risk Management. Organizations should use risk-based approaches to reduce the risk of potential harm to consumers and increase user privacy.
Accountability. Entities should be accountable—both internally and to external audiences—while using approaches “that enable flexibility, encourage privacy-by-design, and focus on privacy outcomes… [while taking] steps to ensure that their third-party vendors and servicers are accountable for their use, storage, processing, and sharing of that data.”