American Society of Magazine Editors

Administration Calls for Privacy Legislation


While privacy legislation has been a back burner issue in Congress so far this year, the Obama Administration has significantly ramped up its level of activity in the privacy arena. Both the Federal Trade Commission and the National Telecommunications Information Administration in the Department of Commerce issued reports on privacy in the past two months. The FTC report, Protecting Consumer Privacy in an Era of Rapid Change, issued March 26, is the final version of a preliminary report issued at the end of 2010. Similarly, The NTIA report, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, issued February 23, is a follow up to a 2010 Commerce report. Both the FTC and Commerce reports recommend a government/private sector approach to privacy protection, with both agencies recommending legislative action combined with enhanced industry self regulation.

The FTC report incorporates feedback from hundreds of comments received from industry, privacy advocates, consumers, and academics. As in the 2010 report, the FTC recommends a privacy framework with three elements – privacy by design; simplified choice, and greater transparency. In addition to explaining how the FTC took into account the comments it received on the preliminary report, the report highlights areas where the FTC intends to focus its attention over the course of the next year. These include "Do Not Track," mobile, data brokers, ISPs, and enforceable self-regulation.

Acknowledging industry efforts to implement self-regulation with respect to behavioral advertising, the FTC said that industry can and should do better, urging implementation of a universal, easy to use, persistent, comprehensive, and enforceable do-not-track system. With respect to mobile, the FTC will host a workshop on May 30 to look at, among other issues, mobile privacy disclosures. Elevating the issue of data brokers, the FTC recommends there be a centralized website where data brokers could identify themselves to consumers and describe how they collect and use consumer data. The FTC would like to see data brokers detail the access rights and other choices they provide with respect to the consumer data they maintain. The final focus this coming year will be large platforms – ISPs, social media – that have a comprehensive tracking ability that the FTC believes needs attention.

Like the FTC report, the NTIA report establishes a privacy framework – in NTIA's case consisting of a consumer privacy "Bill of Rights."  The Bill of Rights contains seven principles: individual control; transparency; respect for context; security; access and accuracy; focused collection; and accountability. While recommending that Congress enact comprehensive privacy legislation to implement the Bill of Rights, acknowledging the challenge of that task (confirmed by a cool reception to the proposal at a hearing held on the bill in late March,) NTIA also recommends establishment of a multi-stakeholder process to develop enforceable codes of conduct for industry, with all parties of the privacy ecosphere - industry, privacy advocates, individuals, Attorneys General, and others – participating. NTIA envisions a safe harbor, such that companies that adopt the code resulting from the multi-stakeholder process would have a safe harbor against FTC enforcement action.

As a first step toward establishing the multi-stakeholder process, Commerce asked for comments on how the process should work. Comments centered around industry's concern about its ability to speak privately, a desire for NTIA to play a convening role and not inject opinions in the process, and the need for respect for existing self-regulatory programs in place, and in creation.

With an eye to the new EU privacy proposal introduced in January, the NTIA report encourages cooperation and coordination among different countries to create uniform data privacy approaches. Commerce hopes that its report will answer EU concerns about data security in the United States.