Today NetChoice filed our comments with the Commerce Department in response to its “Green Paper” on privacy—Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.
Overall, the report contains many proposals that are reasonable and worthy of further exploration. But…(there’s always a but)…the Green Paper implies that we need new federal legislation, though there’s no way we get truly dynamic policies with static stuff like federal legislation.
The Green Paper recommends that Fair Information Practice Principles (FIPPs) be adopted to respond to consumer privacy concerns “by filling gaps in current data privacy protections.” As principles are necessarily high-level, the Green Paper also recommends that Codes of Conduct be adopted to implement the FIPPs.
First, our comments dispute the notion that “gaps” in data privacy laws require government action, or that gaps are even bad to begin with. We believe that a “gap” can also be positive, since its really a space for innovation.
Just think, if prescriptive privacy laws had been in place, they might have prevented many recent innovations in online services. In previous comments, Facebook described how some of its “most popular innovations were initially met with skepticism from privacy advocates. For example, Facebook’s News Feed faced significant controversy when it was first released in 2006.”
But that doesn’t mean that online companies can’t do better at helping users manage their personal data. Privacy policies should be more understandable and useful to consumers. More companies should enroll in self-regulatory programs. And more enforcement tools are needed to hold companies to their policies and promises.
Commerce and the FTC should push self-regulatory approaches, but there are important limits that must be set when it comes to government regulation of data flows. Companies need to innovate without permission from government agencies. Consumers must understand the decisions they make, but also be allowed to make those decisions.
In our comments, we envision an improved industry self-regulatory framework that dynamically adapts to new technologies and services, encourages participation, enhances compliance—and requires no new legislation.
As envisioned in the diagram, FIPPs form the aspirational core that drives business conduct for data privacy. From previous work by the FTC, NAI, and IAB, we extracted four foundational principles for the collection and use of personal data: notice, choice, access, and security.
Codes of Conduct are the specific ways to implement privacy principles. These codes would be developed through self-regulatory bodies, perhaps with help from Commerce’s new Privacy Policy Office. Participating companies would sign-up to apply the Codes of Conduct to their business. It’s this public promise that forms the basis for FTC and state Attorney General enforcement.
While our framework calls for continued industry self-regulation, it relies on government in three critical ways:
- Administration support on the front-end to encourage companies to adopt and attest to the self-regulatory program
- Commerce Department coordination of a multi-stakeholder process to suggest Codes of Conduct for industry to consider
- FTC and state Attorneys General enforcement when companies fail to honor the principles and codes they have promised to uphold.
Overall, we commend Commerce for their Green Paper and see it as a platform for future policy discussions. But at this point NetChoice is waving the yellow caution flag. Because there’s really no such thing as a finish line in a world of perpetual evolution and innovation.