Yesterday, the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) issued a Request for Comments (RFC) on a new consumer privacy approach that is designed to focus on outcomes instead of prescriptive mandates. The RFC presents an important opportunity for organizations to provide legal and policy input to the administration, and comments are due October 26.
The RFC notes that there is a fragmented approach to privacy, both in the U.S. and worldwide, as a “growing number of foreign countries, and some U.S. states, have articulated distinct visions for how to address privacy concerns.” Such fragmentation increases regulatory costs and hinders innovation. Furthermore, the RFC says the current prescriptive approach “does not necessarily provide measurable privacy benefits” and leads to “long, legal, regulator-focused privacy policies and check boxes, which only help a very small number of users” and stymie innovation.
The RFC proposes seven desired outcomes that should underpin privacy protections: Transparency, control, reasonable minimization (of data collection, storage length, use, and sharing), security, access and correction, risk management, and accountability. According to the RFC, the outcome-based approach will provide greater flexibility, consumer protection, and legal clarity. The new approach also seeks to reduce fragmentation and increase harmonization and interoperability.
Additionally, the RFC describes eight overarching goals for federal action on privacy:
- Regulatory harmonization
- Legal clarity while maintaining the flexibility to innovate
- Comprehensive application
- Risk and outcome-based approach
- Interoperability
- Incentivize privacy research
- FTC enforcement
- Scalability
The NTIA is seeking comments on the listed outcomes and goals, as well as other issues such as if the FTC needs additional resources to achieve the goals.
The authors wish to thank Gregory Oshel for his assistance in preparing this article.