NTIA's Approach to Consumer Privacy

November 9, 2018

Download this Public Interest Comment (PDF)


Introduction

NTIA is requesting public comments on its proposed approach to guide federal policymaking related to consumer privacy. The agency’s approach is divided in two parts: 1) a list of privacy outcomes that “any Federal actions on consumer-privacy policy” should aim to achieve, and 2) a list of high-level goals “setting the broad outline for the direction that Federal action should take.”

The increased role of data collection and analysis in modern economies along with the growth of emerging technologies such as highly automated vehicles and unmanned aircraft systems bring privacy concerns to the forefront—particularly regarding the proper role of government intervention. NTIA’s stated justification for the need to expand federal policymaking on consumer privacy protections is, at least in part, driven by international and domestic efforts to enact more stringent privacy and data protection regimes—such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018. The agency notes that these “distinct visions for how to address privacy concerns [lead] to a nationally and globally fragmented regulatory landscape” with the potential to reduce economic growth and innovation in the data sharing economy.

It is, therefore, reasonable that the agency is taking steps to minimize the costs of a patchwork of disparate privacy regimes. Nonetheless, the agency’s list of outcomes that “should be produced by any Federal actions on consumer privacy” is not an appropriate framework for regulation. The list implies that regulation to increase privacy protections in each category would—by design— generate better outcomes for the public. My own research on privacy controls identifies a broad base of evidence that consumers enjoy substantial benefits by gaining access to online content and other services in exchange for allowing use of their data; in contrast, there is little evidence that this exchange results in costly harms to consumer that outweigh these benefits (i.e., possibly presenting a compelling public need that might suggest the use of regulation). Consequently, it is not accurate to presume that NTIA’s list of outcomes will necessarily produce net beneficial results for the public.

This comment proposes the following recommendations for NTIA to consider:

1. Privacy regulation should be based on evidence that regulation will actually advance privacy outcomes in ways that consumers value. Evidence-based regulation (EBR)— successful implementation of evidence-enhancing strategies—is a more appropriate framework to guide regulatory decisions.

2. The benefit of regulating consumer privacy should exceed the social cost—including costs consumers will bear as a result of regulation.

3. Further research should focus on generating useful empirical estimates of the benefits and costs of privacy controls.

Background on Interagency Policy Task Force—Privacy Initiative

Located within the Department of Commerce (DOC), NTIA is responsible for advising the president on telecommunications and information policy issues. The agency’s request for comment is part of its work as a member of the Internet Policy Task Force—an interagency task force DOC created to review policy issues including privacy, copyright, global free flow of information, and cybersecurity. NTIA’s proposed approach to guide federal consumer-privacy policy is the result of this interagency process led by the National Economic Council in coordination with the International Trade Administration and the National Institute of Standards and Technology.

NTIA Proposed Privacy Outcomes

The agency proposes several “principle-based approaches” to privacy, stating that it intends to avoid overly-prescriptive policies that “stymy innovating privacy solutions [while] not necessarily providing measurable privacy benefits.” It is worth noting that NTIA’s list of broadly-defined, normative privacy principles closely parallels several of the elements of the EU’s GDPR regulation—albeit with less specificity or proposed stringency regarding penalties (i.e., fines for noncompliance).

Transparency. Users should be provided the opportunity to give informed consent in such a way that they understand the manner in which entities are collecting, storing, and using their personally identifiable information (PII).

Control. Consumers should have some measure of control over the collection, storage, and use of their data.

Reasonable Minimization. “Collection, storage, length, use, and sharing by organizations should be minimized in a manner and to an extent that is reasonable and appropriate to the context and risk of privacy harm.”

Security. “Organizations…should employ security safeguards to secure these data [PII]. In short, users should have a reasonable expectation that their PII are protected from unauthorized access, destruction, etc.

Access and Correction. Users should have “reasonable [ability] to access personal data that they have provided, and to rectify, complete, amend, or delete this data.”

Risk Management. Organizations should use risk-based approaches to reduce the risk of potential harm to consumers and increase user privacy.

Accountability. Entities should be accountable—both internally and to external audiences—while using approaches “that enable flexibility, encourage privacy-by-design, and focus on privacy outcomes… [while taking] steps to ensure that their third-party vendors and servicers are accountable for their use, storage, processing, and sharing of that data.”