Ten of the leading associations in the advertising, software, media, and data industries jointly filed the following comments today in response to the National Telecommunications and Information Administration’s (NTIA) request for public comment on “developing the Administration’s approach to consumer privacy” (Docket No. 180821780-8780-01).
The associations filing the comments included the Association of National Advertisers, American Association of Advertising Agencies, American Advertising Federation, Association of Magazine Media, Consumer Data Industry Association, Insights Association, Interactive Advertising Bureau, National Business Coalition on E-Commerce and Privacy, Network Advertising Initiative, and Software & Information Industry Association.
November 9, 2018
Submitted Via Email: [email protected]
U.S. Department of Commerce
1401 Constitution Avenue NW, Room 4725
Attn: Privacy RFC
Washington, DC 20230
RE: Request for Public Comments on “Developing the Administration’s Approach to Consumer Privacy”
To Whom It May Concern:
The undersigned associations represent thousands of companies that innovate and compete in data-driven industries, and which for decades have been leaders in consumer privacy matters. As a result of our members’ experience working with and helping shape privacy regimes across different industry sectors in the United States and abroad, we know firsthand the benefits and drawbacks of the various approaches to privacy regulation. As such, we appreciate the opportunity to provide the National Telecommunications and Information Administration (“NTIA”) feedback on its Request for Comment (“RFC”). Outlined below are the concepts and approach we believe are best suited to create lasting protections for consumers and foster a competitive and innovative marketplace.
History has shown that consumers benefit from thoughtful and measured approaches to privacy. For example, the existing privacy regulatory framework, based in part on the concepts of transparency and choice, has enabled tremendous growth and innovation in the modern economy while protecting consumer privacy and giving consumers meaningful options for how data about them will be used. Myriad consumer benefits, whether in the form of free or low cost services supported by advertising, or personalized services that deliver the right product or information at the right time, have transformed our daily lives in countless ways. New rules at the state level, however, are now threatening to disrupt this framework and fragment the marketplace. As such, we believe that the time is ripe for federal action on privacy that better reflects the interests of consumers and innovators, and our national economy.
To help drive forward the conversation about the next generation of privacy standards, we provide in these comments a high-level overview of a new privacy regulatory approach—the New Paradigm—that can help regulators, consumers, and market participants determine the merits and appropriate treatment of various data practices. We encourage the NTIA to consider the New Paradigm and the guiding principle of reasonableness, which already is implicit in many current U.S. privacy laws, as the Administration charts its approach to consumer privacy. Similarly, we encourage the NTIA to address the emerging fragmentation in state privacy laws. If inconsistent approaches at the state and local level are not harmonized, such laws will create patchwork regulation of the Internet that consumers will not understand and that will not serve their interests.
In support of the NTIA’s decision-making process and its activities, we recommend that the Administration prioritize and conduct a cost-benefit analysis of proposed privacy frameworks and competing state solutions, including an analysis of the economic impact of the California Consumer Privacy Act (“CCPA”) and the European Union’s General Data Protection Regulation (“GDPR”). Such an analysis would be timely and would help inform lawmakers, consumers, and industry of the impact of various data privacy proposals on consumers and the economy.
A New Privacy Paradigm
Evaluating data practices based on their reasonableness should be a foundational point in any new national privacy standard regarding the collection or use of data. Under the New Paradigm, unreasonable data practices should be specifically prohibited, while reasonable data practices should be expressly permitted and encouraged.
Data practices should be assessed holistically through a reasonableness standard that could weigh, for instance: (i) the consumer harms and benefits, (ii) the objective expectation of a reasonable consumer; and (iii) the relevant management and risk mitigation practices of an organization (e.g., transparency, choice, downstream contractual protections, data security, and adherence to self-regulatory standards). Many data practices, or categories of data practices, could be classified as either per se unreasonable or per se reasonable and any remaining non-classified practices could be analyzed using the factors described above. As the New Paradigm matures and is applied by regulators, consumers and businesses will gain increasing clarity regarding the treatment of data practices that are not clearly per se reasonable or unreasonable.
The New Paradigm’s proposed reasonableness test is an expansion upon current domestic and foreign privacy laws and standards. The Federal Trade Commission’s (“FTC”) 2012 staff report on privacy, for instance, makes specific allowances for a company’s collection and use of data in a manner consistent with the context of the transaction or with the company’s relationship with the consumer, noting that a company does not need to provide consumer choice in these circumstances. Similarly, the Gramm-Leach-Bliley Act (“GLBA”) includes the concept of reasonableness when it provides specific allowances for the use of nonpublic personal information. The Fair Credit Reporting Act (“FCRA”) also enshrines a reasonableness-like standard through its allowance of permissible purposes for the use of consumer reports. Inherent in the FTC staff report, the GLBA, the FCRA, and other U.S. privacy laws and standards is the recognition that reasonable data practices should be specifically allowed by law and unreasonable practices should be prohibited. This concept also aligns with some elements of the GDPR, which recognizes an organization’s legitimate interests as a lawful basis for processing personal data.
A Balanced Approach to Achieve Consumer Protection and National Prosperity Consistent with the NTIA’s Goals
As a general matter, the NTIA has asked for comments on a set of “privacy outcomes” that are grounded in a “risk-based approach” and that are “reasonable and appropriate for context.” The New Paradigm helps achieve these outcomes by requiring the evaluation of data practices for reasonableness, which will likely include both a review of the risks related to the data practice and the context in which the data practice occurs. In effect, the New Paradigm’s reasonableness categories and factors help establish and support core concepts put forward by the NTIA.
The New Paradigm also aligns with the NTIA’s request for a risk management approach that “affords organizations flexibility and innovation in how to achieve these outcomes,” without creating a loophole for bad actors to exploit. Consistent with the NTIA’s proposed approach, and an improvement over the CCPA and the GDPR, the New Paradigm does not create a one-size-fits-all privacy standard for every piece of data or for every kind of data practice regardless of risk, context, or the sensitivity of the data. Such an inflexible approach creates major barriers to entry for new market participants because it raises the risks and costs of holding data, even when privacy harms are remote. The New Paradigm instead provides a set of factors a company can use to evaluate its data practices that is tailored to its circumstances and customer relationships, thereby establishing a regulatory standard under which all companies, large or small, and across industries can thrive.
In keeping with the NTIA’s goals, to ensure the successful implementation of a national privacy standard that provides strong consumer protections and that reduces regulatory fragmentation, we recommend that the FTC enforce the concepts underlying the New Paradigm as a single national standard, which supersedes state privacy laws.
We encourage the NTIA to consider the concepts underlying the New Paradigm, and the guiding principle of reasonableness, to help refocus the privacy discussion on how to create lasting protections for consumers in a modern, data-driven economy. The NTIA should also work to prevent the emerging regulatory fragmentation at the state level, and advocate for the adoption of a national standard that is more rational, effective, and productive for both consumers and market actors.
Finally, we believe that the Administration is well positioned to provide a cost-benefit analysis of the impact of proposed privacy frameworks and emerging state laws. We hope the Administration will leverage its capabilities to conduct these assessments to help consumers, lawmakers, and industry understand the impact of various data privacy proposals.
We look forward to working with the Administration to ensure that the United States remains at the forefront of innovation and consumer protection. If you have questions, please contact any of the undersigned.
Association of National Advertisers
American Association of Advertising Agencies
American Advertising Federation
Association of Magazine Media
Consumer Data Industry Association
Interactive Advertising Bureau
National Business Coalition on E-Commerce and Privacy
Network Advertising Initiative
Software & Information Industry Association
SOURCE Coalition of Advertising, Software, Media and Data Associations