The White House privacy process went public today, as the National Telecommunications and Information Administration (NTIA) released a request for comment on "ways to advance consumer privacy while protecting prosperity and innovation."

Titled "Developing the Administration's Approach to Consumer Privacy," NTIA notes that the "time is ripe" for the U.S. to lead on privacy. A "growing number of foreign countries, and some U.S. states, have articulated distinct visions for how to address privacy concerns, leading to a nationally and globally fragmented regulatory landscape. Such fragmentation naturally disincentivizes innovation by increasing the regulatory costs for products that require scale. The Administration hopes to articulate a renewed vision, one that reduces fragmentation nationally and increases harmonization and interoperability nationally and globally."

Reiterating some of the details we learned from NTIA last week, the document notes that "This approach is divided into two parts: (1) a set of user-centric privacy outcomes that underpin the protections that should be produced by any Federal actions on consumer-privacy policy, and (2) a set of high-level goals that describe the outlines of the ecosystem that should be created to provide those protections." The notice specifically "does not call for the creation of a statutory standard," instead "looking to commenters to respond with details as to how these privacy outcomes and goals can be achieved."

The document suggests that mandating the method of achieving privacy principles doesn't necessarily result in the best outcome for consumers. "For example, the consent of an informed user is the end-goal of most approaches to consumer privacy, but in order to create legal clarity, this principle is implemented by mandating notice and choice. To date, such mandates have resulted primarily in long, legal, regulator-focused privacy policies and check boxes, which only help a very small number of users who choose to read these policies and make binary choices." By contrast, the White House proposes instead to "refocus on the outcomes of organizational practices, rather than on dictating what those practices should be. The desired outcome is a reasonably informed user, empowered to meaningfully express privacy preferences, as well as products and services that are inherently designed with appropriate privacy protections, particularly in business contexts in which relying on user intervention may be insufficient to manage privacy risks."

"Using a risk-based approach," reads the document, "the collection, use, storage, and sharing of personal data should be reasonable and appropriate to the contex. Similarly, user transparency, control, and access should be reasonable and appropriate relative to context." The Administration thus proposes "that these outcomes be operationalized through a risk-management approach, one that affords organizations flexibility and innovation in how to achieve these outcomes." Further, an approach based on outcomes "emphasizes flexibility, consumer protection, and legal clarity can be achieved through mechanisms that focus on managing risk and minimizing harm to individuals arising from the collection, storage, use, and sharing of their information."

The outcomes were proposed by NTIA "to spur comments, discussion, and engagement on how best to achieve user-centric privacy outcomes in a manner that is both flexible and clear, not to propose the text of a legal standard. They should be read as a set of inputs for building better privacy protections into products and services." The principles include:

  1. "Transparency. Users should be able to easily understand how an organization collects, stores, uses, and shares their personal information. Transparency can be enabled through various means. Organizations should take into account how the average user interacts with a product or service, and maximize the intuitiveness of how it conveys information to users. In many cases, lengthy notices describing a company’s privacy program at a consumer’s initial point of interaction with a product or service does not lead to adequate understanding. Organizations should use approaches that move beyond this paradigm when appropriate."
  2. "Control. Users should be able to exercise reasonable control over the collection, use, storage, and disclosure of the personal information they provide to organizations. However, which controls to offer, when to offer them, and how they are offered should depend on context, taking into consideration factors such as a user’s expectations and the sensitivity of the information. The controls available to users should be developed with intuitiveness of use, affordability, and accessibility in mind, and should be made available in ways that allow users to exercise informed decision-making. In addition, controls used to withdraw the consent of, or to limit activity previously permitted by, a consumer should be as readily accessible and usable as the controls used to permit the activity."
  3. "Reasonable Minimization. Data collection, storage length, use, and sharing by organizations should be minimized in a manner and to an extent that is reasonable and appropriate to the context and risk of privacy harm. Other means of reducing the risk of privacy harm (e.g., additional security safeguards or privacy enhancing techniques) can help to reduce the need for such minimization."
  4. "Security. Organizations that collect, store, use, or share personal information should employ security safeguards to secure these data. Users should be able to expect that their data are protected from loss and unauthorized access, destruction, use, modification, and disclosure. Further, organizations should take reasonable security measures appropriate to the level of risk associated with the improper loss of, or improper access to, the collected personal data; they should meet or ideally exceed current consensus best practices, where available. Organizations should secure personal data at all stages, including collection, computation, storage, and transfer of raw and processed data."
  5. "Access and Correction. Users should have qualified access personal data that they have provided, and to rectify, complete, amend, or delete this data. This access and ability to correct should be reasonable, given the context of the data flow, appropriate to the risk of privacy harm, and should not interfere with an organization’s legal obligations, or the ability of consumers and third parties to exercise other rights provided by the Constitution, and U.S. law, and regulation."
  6. "Risk Management. Users should expect organizations to take steps to manage and/or mitigate the risk of harmful uses or exposure of personal data. Risk management is the core of this Administration’s approach, as it provides the flexibility to encourage innovation in business models and privacy tools, while focusing on potential consumer harm and maximizing privacy outcomes."
  7. "Accountability. Organizations should be accountable externally and within their own processes for the use of personal information collected, maintained, and used in their systems," and "external accountability should be structured to incentivize risk and outcome-based approaches within organizations that enable flexibility, encourage privacy-by-design, and focus on privacy outcomes. Organizations that control personal data should also take steps to ensure that their third-party vendors and servicers are accountable for their use, storage, processing, and sharing of that data."

With those outcomes in mind, the White House also seeks comments on their proposed "high-level goals for Federal action" and how they can be achieved:

  1. "Harmonize the regulatory landscape. While the sectoral system provides strong, focused protections and should be maintained, there is a need to avoid duplicative and contradictory privacy-related obligations placed on organizations. We are actively witnessing the production of a patchwork of competing and contradictory baseline laws. This emerging patchwork harms the American economy and fails to improve privacy outcomes for individuals, who may be unaware of what their privacy protections are, and who may not have equal protections, depending on where the user lives. Steps need to be taken to ensure that the regulatory landscape for organizations that process personal data in the United States remains flexible, strong, predictable, and harmonized."
  2. "Legal clarity while maintaining the flexibility to innovate. The ideal end-state would ensure that organizations have clear rules that provide for legal clarity, while enabling flexibility that allows for novel business models and technologies, as well as the means to use a variety of methods to achieve consumer-privacy outcomes. The Administration understands that balancing legal clarity, flexibility, and consumer privacy requires compromise and creative thinking. It is in striking this balance, however, that the United States has been able to maintain international leadership in both innovation and privacy enforcement, and any future action should strive to create a system that to the greatest extent possible maximizes each."
  3. "Comprehensive application. Any action addressing consumer privacy should apply to all private sector organizations that collect, store, use, or share personal data in activities that are not covered by sectoral laws. The differences between business models and technologies used should be addressed through the application of a risk and outcomebased approach, which would allow for similar data practices in similar context to be treated the same rather than through a fragmented regulatory approach."
  4. "Employ a risk and outcome-based approach. Instead of creating a compliance model that creates cumbersome red tape—without necessarily achieving measurable privacy protections—the approach to privacy regulations should be based on risk modeling and focused on creating user-centric outcomes. Risk-based approaches allow organizations the flexibility to balance business needs, consumer expectations, legal obligations, and potential privacy harms, among other inputs, when making decisions about how to adopt various privacy practices. Outcome-based approaches also enable innovation in the methods used to achieve privacy goals. Risk and outcome-based approaches have been successfully used in cybersecurity, and can be enforced in a way that balances the needs of organizations to be agile in developing new products, services, and business models with the need to provide privacy protections to their customers, while also ensuring clarity in legal compliance."
  5. "Interoperability. The growth and advancement of the Internet-enabled economy depends on personal information moving seamlessly across borders. However, the Administration recognizes that governments approach consumer privacy differently, creating the need for mechanisms to bridge differences, while ensuring personal data remains protected. The Administration should therefore seek to reduce the friction placed on data flows by developing a regulatory landscape that is consistent with the international norms and frameworks in which the United States participates, such as the APEC Cross-Border Privacy Rules System."
  6. "Incentivize privacy research. The U.S. Government should encourage more research into, and development of, products and services that improve privacy protections. These technologies and solutions will include measures built into system architectures or product design to mitigate privacy risks, as well as usability features at the user-interface level. These innovations require more research into understanding user preferences, concerns, and difficulties, as well as an understanding of the impact on legal obligations of third parties and the ability of third parties to exercise other rights provided by law. Privacy research will inform the development of standards frameworks, models, methodologies, tools, and products that enhance privacy."
  7. "FTC enforcement: Given its history of effectiveness, the FTC is the appropriate federal agency to enforce consumer privacy with certain exceptions made for sectoral laws outside the FTC’s jurisdiction, such as HIPAA. It is important to take steps to ensure that the FTC has the necessary resources, clear statutory authority, and direction to enforce consumer privacy laws in a manner that balances the need for strong consumer protections, legal clarity for organizations, and the flexibility to innovate."
  8. "Scalability: The Administration should ensure that the proverbial sticks used to incentivize strong consumer privacy outcomes are deployed in proportion to the scale and scope of the information an organization is handling. In general, small businesses that collect little personal information and do not maintain sensitive information about their customers should not be the primary targets of privacy-enforcement activity, so long as they make good-faith efforts to utilize privacy protections. Similarly, there should be a distinction between organizations that control personal data and third-party vendors that merely process that personal data on behalf of other organizations. Just as organizations should employ outcome-based approaches when developing privacy protections for their customers, the government should do the same with its approach to privacy enforcement and compliance."

Although NTIA tried to cover a lot of ground in the document, the request for comment also asked: (1) if there are other goals that they missed, "or outcomes that should be expanded upon;" (2) if the descriptions are clear and accurate; and (3) if there are "any risks that accompany the list of goals, or the general approach taken." It also sought comments describing "next steps and measures" for the White House to take, such as through "procurement" or "non-regulatory action," or convening of stakeholders, or other means. NTIA also asked about defining key terms, whether any in the document "require more precise definitions" and if so what those might be, and if any other terms "would benefit from more precise definitions" and what those might be.

Since NTIA is focused on international interoperability, the document asks if "all or some of the outcomes or high-level goals described in this RFC were replicated by other countries, do you believe it would be easier for U.S. companies to provide goods and services in those countries?

The FTC is intended to "continue as the Federal consumer privacy enforcement agency, outside of sectoral exceptions beyond the FTC’s jurisdiction," according to NTIA. So, in order to achieve NTIA's goals, "would changes need to be made with regard to the FTC’s resources, processes, and/or statutory authority?"

Finally, in a last open-ended question, NTIA asks if "there other ways to achieve U.S. leadership that are not included... or any outcomes or high-level goals in this document that would be detrimental to achieving the goal of achieving U.S. leadership?"

Comments are due to NTIA by November 9 and the Insights Association welcomes input from our members in the marketing research and data analytics industry on how best to respond.

(updated after NTIA extended the comment period)