A view from beyond the tech giants

NTIA, an agency of the Commerce Department, recently issued a Request for Comments on a proposed approach to consumer data privacy, “Developing the Administration’s Approach to Consumer Privacy.” The deadline for that feedback was Nov. 9; the comments were made public on Nov. 13.

The Credit Union National Association was among the groups weighing in on the NTIA process. Its priorities for data security include:

• A flexible, scalable standard;
• A notification regime requiring timely notice to impacted consumers, law enforcement, and applicable regulators when there is a reasonable risk that a breach of unencrypted personal information exposes consumers to identity theft or other financial harm;
• Consistent, exclusive enforcement of the new data security and notification national standard by the Federal Trade Commission (FTC) and state attorneys general; and
• “Clear preemption of the existing patchwork of often conflicting and contradictory state laws for all entities that follow this national data security and notification standard.”

“The compliance costs are particularly heavy for smaller operators with less discretionary spending,” the association noted.

The Computer & Communications Industry Association asked that any policy include safe harbors and flexibility for companies to evolve with changing technology.

“Good policy has the potential of setting a national baseline for privacy across sectors and supporting innovation, while allowing companies’ flexibility in how they deliver a level of privacy consumers expect based on the sensitivity of particular data,” CCIA President & CEO Ed Black says.

Public Knowledge, a consumer advocacy group, contended that any privacy regime should, “at a minimum, account for risks beyond traditional harms, such as financial loss, to include damages such as reputational harm and undermining public trust.” It urged the NTIA to consider “the full panoply of risks” that may arise from misuse of personal data.”

“Although the NTIA articulates a number of important outcomes and high-level goals for federal action, notably absent are outcomes and goals around fairness, consumer protection, and equal opportunity,” says Allie Bohm, policy counsel for the organization. “The proposal also leans too heavily on a risk-based approach and on ‘reasonableness,’ a term that individuals and businesses likely interpret very differently.”

With similar concerns, 34 civil rights, consumer, and privacy organizations joined forces to comment on the government’s effort and release “public interest principles for privacy legislation.”

They outlined concepts “that any meaningful data protection legislation should incorporate at a minimum,” including:

• Privacy protections must “be strong, meaningful, and comprehensive”
• Data practices must protect civil rights and prevent unlawful discrimination
• Governments at all levels should play a role in protecting and enforcing privacy rights

“The big banks and the big tech companies all say that they want a federal privacy law, but the law that their phalanx of lobbyists seeks isn’t designed to protect consumers,” said Ed Mierzwinski, senior director for Consumer Programs at U.S. PIRG. “Instead, it’s designed to protect their business models that treat consumers as commodities for sale; it fails to guarantee that their secret sauce big data algorithms don’t discriminate; it eliminates stronger and innovative state laws forever; and it denies consumers any real, enforceable rights when harmed. We can’t allow that.”

With a much different view, Citizens Against Government Waste President Tom Schatz also submitted that group’s recommendations. He made reference to the California Consumer Privacy Act.

“The bill, which was rushed through the legislature in a few days, imposes extremely onerous requirements on how companies must store and provide access to consumers’ personal information, as well as harsh restrictions on the types of product and service options and discounts companies may offer to their customers,” he wrote. “There is an overriding concern that without the adoption of a consistent national privacy protection regime that preempts state and local laws, more states will follow California’s example, further complicating the privacy regulatory environment that companies, large and small, must negotiate.”