Commerce Department Releases Online Commercial Privacy Framework in Report

Today, the U.S. Department of Commerce released its version of an online commercial data privacy framework in a report entitled Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework. The report is the result of a review by the Commerce Department’s Internet Policy Task Force, launched in April of 2010, which included staff from National Telecommunications and Information Administration (NTIA), the International Trade Administration, and the National Institute for Standards and Technology. The report comes two weeks after the Federal Trade Commission (FTC) released a preliminary staff report also on recommendations for an online privacy framework.

The report presents possible approaches to develop an online data privacy framework and proposes questions for further comment. The report includes four broad categories of

strictly commercial data privacy policy recommendations: (1) recognize a set of baseline Fair Information Practice Principles; (2) develop industry-specific privacy codes of conduct; (3) encourage global interoperable privacy frameworks; and (4) create a Federal commercial data security breach notification law.

  • A. Fair Information Practice Principles. The report recommends development of a set of baseline Fair Information Practice Principles to protect privacy and encourage informed consent without hindering commerce, including the following broad policy options:
    • Baseline commercial data privacy policies to fill gaps in the law;
    • Voluntary and enforceable codes of conduct that can adapt to dynamic technologies and business models;
    • Codes of conduct with safe harbor” practices protected against FTC enforcement;
    • Limited rulemaking over certain principles if proscriptive regulation required in response to established market failures; and
    • Lower barriers to international online commerce.
  • The report also highlights certain specific principles that should receive high priority” based on the framework, including:
    • Enhancing transparency through simple, clear privacy policies and notices;
    • Clear articulation to consumers on the purposes for data collection and limiting the use of consumer data to those purposes; and
    • Accountability through expanded use of robust auditing and enforcement.
  • B. Industry-Specific Privacy Codes of Conduct. Protecting privacy through voluntary and enforceable FTC-approved codes of conduct. More specifically, the report recommends:
    • Public statements by the Administration to persuade industry to develop voluntary, enforceable Privacy Codes of Conduct;
    • Increased FTC enforcement actions under current law to encourage the development of voluntary codes of conduct;
    • Legislation creating safe harbor” protections against FTC enforcement for companies that abide by FTC-approved voluntary codes of conduct developed through an open multi-stakeholder process;
    • Creation of a Privacy Policy Office within the Commerce Department to develop commercial data privacy policy, engage industry and develop and administer voluntary codes of conduct, and provide consumer privacy education; and
    • Maintain the FTC as the leader in consumer privacy enforcement.
  • C. Encourage Global Interoperable Privacy Frameworks. The report recommends that the Federal government continue to cooperate with other nations to respect their commercial data privacy frameworks. The report proposes developing a global privacy framework that decreases the costs of doing business, provides consumers consistent protection worldwide, and encourages economic growth. In the report, the Commerce Department voiced support for the APEC Data Privacy Pathfinder Project model, which adopts privacy principles on personally identifiable information, for cooperation on data privacy between nations.
  • D. Create Federal Data Security Breach Notification Requirement. The report proposes creating a Federal comprehensive framework to govern security breaches of sensitive commercial data that includes notice requirements, encourages companies to create data security measures, and allows the states to expand upon these measures.

The report also recommends privacy principles that do not conflict with the strong patchwork of laws that currently protect privacy and that allow the states to also act in the privacy arena. It calls for a review of the Electronic Communications Privacy Act regarding cloud computing and location-based services.

The Commerce Department also released a Notice and Request for Public Comment seeking public comments on the proposals and questions posed in the report, which are due on or before January 28, 2011. A copy of the Press Release on the report is available by clicking here.

In sum, the much-anticipated Commerce Department’s recommendations may shape the ongoing policy debate regarding consumer data privacy. A client advisory with more detailed analysis of the Commerce Department’s report is forthcoming.