Comparison of Commerce Department and Federal Trade Commission Privacy Proposals
Just before the end of 2010, both the Commerce Department (here) and the Federal Trade Commission (here) released their agencies' respective proposals for privacy frameworks in the United States. The reports make similar proposals in some respects, but in others are quite different. We have prepared a comparison report on both.
(Thanks to Mintz Levin Project Analyst Anagha Prasad for her contribution to this report)
The Commerce Department's Internet Policy Task Force (IPTF) Green Paper: Commercial Data Privacy
At the center of the IPTF’s proposal is the Dynamic Policy Framework, designed to promote efficiency and while minimizing regulatory barriers. The Dynamic Privacy Framework is intended to address emerging commercial data privacy challenges while enhancing customer service and entrepreneurial innovation, especially given the dynamic nature of markets and technologies.
The goals of the Dynamic Policy Framework can be grouped into four general categories: 1) The implementation of Fair Information Practice Principles (FIPPs); 2) Public-private sector collaboration; 3) Global interoperability; and 4) National standardization for Security Breach Notification (SBN).
FTC Report: Protecting Consumer Privacy
The FTC has traditionally approached privacy protection through two models: 1) the “notice-and-choice” model, in which companies present their data collection practices to consumers who can then make informed choices, and 2) the “harm-based” model, which seeks to protect against violations of physical security, economic injury or other breaches of privacy.
The focus of the FTC staff report is on the development of a privacy framework for businesses and policymakers to supplement these models and address concerns raised at a series of recent roundtables on privacy. The key issues raised at these discussions included lack of consumer awareness about privacy rights, the costs and benefits of increasing information flow, and the accessibility and traceability of personally identifiable information (PII).[1]
The FTC’s framework focuses on three areas: 1) integrating privacy into companies’ regular business operations and product development; 2) increasing the availability of information on choice and data collection to consumers; and 3) increasing transparency.
IPTF and FTC: A Comparison
Perhaps the most notable difference between the two papers is the FTC’s clear recommendation of its policy framework, while the IPTF’s green paper proposes a broader series of approaches without committing to any one prescription. The FTC proposal is structured around the three areas, while the IPTF green paper centers its recommendations on the adoption of Fair Information Practice Principles (FIPPs), which are the core of the Dynamic Policy Framework.
The recommendations in the green paper are less detailed than those discussed in the FTC proposal. For instance, the proposal provides specific examples of policy implementations (such as opt-in versus opt-out consent). Furthermore, the FTC proposal discusses risks, costs, and benefits associated with these potential policies in greater detail than the IPTF green paper. In the IPTF green paper there is no discussion of the relative risks of network-based data collection compared to data collection by edge providers; no proposed definition of personally identifiable information; and no assessment of the efficacy of encryption.
However, the two proposals identify similar challenges to privacy protection:
- Lack of consumer awareness regarding the collection and use of personal information;
- The complicated, often convoluted nature of company privacy policies, a result of the “notice-and-choice” model;
- The growing importance of data collection for businesses, for whom online transactions are increasingly significant;
- The rapid growth of technology and innovation, enabling consumers to share more information and companies to access and collect more information.
Consequently, their recommendations fall under three common themes:
- Emphasis on transparency and consumer choice;
- Companies’ self-assessment and regulation of their privacy framework;
- The role of government in protecting privacy.
1. Transparency & Consumer Choice
The FTC proposal identifies the importance of full disclosure of company practice and accessibility of information to consumers. Part of this initiative involves providing information to consumers at an appropriate time (i.e., when consumers are preparing to choose whether to engage in activities on a certain company’s website). This initiative addresses the volume information given to consumers all at once, a stated flaw under the “notice-and-choice” model.
Similarly, the IPTF paper advocates the use of FIPPs to increase transparency and provide simpler, more salient information to consumers in terms other than “legalese.” According to the FTC, stakeholders should make efforts to educate consumers about the use of their personal information, just as the IPTF calls for the implementation of voluntary codes of conduct to provide more information to consumers. In this vein, both proposals highlight options such as a “Do-Not-Track” list to protect consumers, each pointing out that many individuals are largely unaware of the traceable information available to companies.
2. Self-Assessment and Regulation
Self-assessment and regulation are underscored in both papers in varied language. The FTC proposal calls for the integration of privacy practices into a company’s regular business operations, while the IPTF report makes repeated references to voluntary codes of conduct across industries.
The FTC proposal recommends implementing privacy practices into all stages of a product’s development. Proposed practices include encryption, verifying data accuracy, limiting data collection, developing effective retention strategies, and conducting periodic reviews of one’s privacy framework. The IPTF green paper presents similar approaches, including PIAs, or privacy impact assessments, which enable individuals and companies to assess the costs and benefits of engaging in specific activities. Other proposed measures include actively specifying purposes for data collection, limiting the use of data, and periodic auditing.
3. Government Role
In both proposals, government participation is central the development of an enhanced framework. Throughout the FTC proposal, there are questions regarding the level and scope of government involvement in privacy enforcement and education, an indicator of the complex role of government in privacy protection. Moreover, although the FTC enforces violations of privacy and educates youth and adult consumers about information sharing, there is an increasing emphasis on companies to actively engage in the development of an updated privacy framework.
The IPTF also reveals the multifaceted nature of government involvement. In addition to being an enforcer and educator, through the proposed Privacy Policy Office (PPO), government would take on the role of facilitator between industry players and regulators. Like the FTC proposal, the IPTF green paper also highlights the obligation of companies in strengthening the framework through voluntary codes of conduct.
Finally, each proposal highlights the potential barriers to trade and commerce that may arise from increased regulatory activity and, consequently, the importance of collaboration with OECD and APEC in facilitating cross-border transactions.
Conclusion
Both papers outline proposed frameworks to address commonly perceived challenges to consumer privacy protection. While the FTC paper outlines a formal proposal and is more granular in scope, the IPTF green paper makes broader policy suggestions. The papers touch upon common broad themes and make similar assertions on how to improve transparency and participation by industry players in privacy protection. In this respect, the central role of government—whether as a regulator, educator, or facilitator—is also made clear in both proposals.
[1] PII is defined in the paper as one’s name, address, or social security number.