Multistakeholder Process to Develop Consumer Data Privacy Codes of Conduct: Comments to the Department of Commerce, National Telecommunications and Information Administration

Advocacy Comments

Multistakeholder Process to Develop Consumer Data Privacy Codes of Conduct

Docket No. 120114135-2135-01

 

Submitted April 2, 2012

 

I. Support for Consumer Privacy Legislation

II. Multistakeholder Process: Procedure

III. Multistakeholder Process: Topics to Address

 

The Privacy Rights Clearinghouse (PRC) appreciates the opportunity to comment on the National Telecommunications and Information Administration's (NTIA) proposed multistakeholder process to develop data privacy codes of conduct.  The PRC is a nonprofit consumer privacy organization with a two-part mission: consumer education and consumer advocacy. We were established in 1992, are based in San Diego, CA, and serve consumers nationwide.[1]

 

The PRC has invited individuals to contact us with their privacy questions and complaints since our inception. We have worked on a variety of informational privacy issues in both online and offline contexts, including online data brokers, identity theft, employment background checks, wireless phones, financial privacy, telemarketing, credit reporting, and children’s privacy.

 

In addition, PRC is one of the few nonprofit organizations whose mission and purpose center solely on privacy.  Other such organizations include the World Privacy Forum (WPF) and the Electronic Privacy Information Center (EPIC).[2]  We believe nonprofit organizations that focus solely on privacy and have an historical understanding of the issue should be considered key stakeholders in the NTIA's multistakeholder process. 

 

Finally, California-based privacy groups like the PRC bring a unique perspective to a multistakeholder process that is based in Washington, DC.  The PRC focuses its legislative efforts in California, a state that often leads the nation in privacy protections. We believe it is necessary for the NTIA to seek the involvement of geographically diverse stakeholders in the multistakeholder process.

 

I. Support for Consumer Privacy Legislation

PRC is pleased that the Administration has recognized the need to take action on consumer privacy issues and set forth a Consumer Privacy Bill of Rights.[3]  We support the Administration's call for legislation implementing the full Consumer Privacy Bill of Rights, and emphasize that enforceable codes of conduct generated by a multistakeholder process should not supersede or delay this objective.

 

II. Multistakeholder Process: Procedure

While our ultimate goal is to see the Administration propose draft legislation to Congress, PRC will put our best efforts towards working within a multistakeholder process to create enforceable codes of conduct that implement the full Consumer Privacy Bill of Rights.  PRC is prepared to take the multistakeholder process seriously, and we believe that all stakeholders must do the same to make a consensus-driven process work.  We believe that the NTIA must carefully implement certain overarching principles into the multistakeholder process to create and maintain both its legitimacy and its effectiveness.

 

PRC specifically directs the NTIA to a set of principles put forth by the World Privacy Forum (Multistakeholder Principles).[4] A large number of non-governmental organizations and privacy advocates, including the PRC, publicly support the Multistakeholder Principles and request that the NTIA implement them as the convener of the multistakeholder process.  The World Privacy Forum has filed the Multistakeholder Principles separately in response to the NTIA's request for public comments.

 

Moreover, before it convenes the multistakeholder process, the NTIA must address, and, to the extent possible, resolve potential difficulties surrounding certain issues.

 

The multistakeholder process must be truly open, transparent, and consensus-driven.  We believe a broad range of stakeholders should, to the extent practicable, shape how the processes will run and define what constitutes consensus. All interested stakeholders should have the opportunity to meet and offer input regarding how the multistakeholder process will work prior to the commencement of the first process. 

 

As convener, NTIA should minimize the amount of closed meetings it holds with any stakeholders (especially those discussing substantive matters), as doing so in lieu of open meetings will erode its neutrality and the process' legitimacy. Ideally, there would be no closed meetings between NTIA and any stakeholder. It is also important to delineate clear standards for both the convener role that the NTIA will play, and the facilitator role that we strongly recommend contracting out to an independent third party.  In fact, it is possible NTIA may need to contract with a different facilitator for each process depending on the issue. 

 

Multistakeholder processes should be transparent with regard to any interested stakeholder.  The NTIA must be transparent throughout the processes, and stakeholders must be transparent about whose interests they represent. We believe that the World Wide Web Consortium (W3C) is a good example of a transparent standards-setting community and process.[5]  It is also important to emphasize that successful consensus-based processes, like the W3C's, do not consider "consensus" to mean a simple majority vote.

 

There must be adequate public-interest presence and participation.  The NTIA is certainly aware that the majority of public interest groups face great resource constraints.  These often include both extremely limited financial resources and staff bandwidth. Without preemptively addressing this issue, industry associations and many stakeholder companies will come into a multistakeholder process with an automatic advantage.  We believe that the NTIA, as convener, should take the lead in determining how public interest organizations can logistically work through this disadvantage. 

 

Allowing for meaningful public-interest participation means many things.  To begin, it is important to note that the public interest community has wide-ranging positions and expertise.  No single group represents the total views and interests of the community.  It is important that all privacy-focused groups have a seat at the table if they want one.

 

In addition, many, if not most, public-interest organizations have limited staffing.  Therefore, if the NTIA conducts multiple processes during the same time period, it will be very difficult for many public-interest organizations to fully participate.  We recommend that the NTIA not hold more than one or two processes simultaneously.

 

 Furthermore, many public-interest nonprofits have extremely limited budgets.  Cost should not deter organizations from participating in multistakeholder processes.  It is important that the NTIA help find a way for small organizations, especially those without a DC presence, to participate without putting undue strain on our limited budgets.  One solution would be to hold electronic meetings.   However it chooses to convene stakeholder meetings, we request that the NTIA seriously consider and minimize the burdens that the process will put on stakeholders who represent small organizations.

 

III. Multistakeholder Process: Topics to Address

Ideally stakeholders, as opposed to the NTIA, would identify and select appropriate issues for a multistakeholder process.  It is exceedingly important that the issues chosen will actually advance consumer privacy interests. No single topic, issue, or industry practice should be exempted from the process because of a pre-existing voluntary or self-regulatory code of conduct.  Self-regulatory codes of conduct are only proposed solutions to recognized privacy problems. Further, they are typically voluntary, and are historically ineffective.

 

Also, no multistakeholder process should commence with a watered-down or insignificant issue for the sake of saving time or appealing to specific stakeholders.  The PRC is particularly concerned with NTIA's proposal to specifically address the "Transparency" principle in mobile app privacy policies to "complement recent commitments by mobile device platform providers to promote transparency in the mobile arena." [6]  We fear that initially narrowing the focus to this extent significantly increases the risk that consumers gain no additional privacy protections.  A better approach to tackling the issue of mobile app privacy would be another mentioned by NTIA, to develop "a code of conduct [for mobile apps] that implements the full Consumer Privacy Bill of Rights."[7]  In fact, all aspects of the Consumer Privacy Bill of Rights should be discussed in every multistakeholder process regardless of the issue.

 

In addition, we believe that the following topics would be appropriate for the multistakeholder process:

Data brokers.  Data brokers are one of the most common subjects of consumer complaints that the PRC receives. The FTC recently addressed data brokers and provided its own recommendations in its report titled Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.[8]  

 

The FTC recommends targeted legislation, but, more importantly for the purposes of a multistakeholder process, calls on data brokers to create a centralized website where they identify themselves and describe how they collect and use consumer data, and detail the access rights and other choices they provide.[9]  We believe that developing enforceable practices around this issue (with respect to data brokers that are not subject to the Fair Credit Reporting) could provide consumers with increased access, control, and ideally choice with regard to personal information in a largely invisible industry.[10] 

 

Facial detection and facial recognition technology. The FTC’s December 2011 workshop on facial detection and facial recognition technologies highlighted a number of critical privacy issues. We believe that developing an enforceable code of conduct implementing the Consumer Privacy Bill of Rights would be appropriate for a multistakeholder process.

 

Additional topics for consideration include:

  • Online services directed towards children and teens
  • Search engine privacy
  • Terms of Service for cloud computing services.[11]
  • Social media services' use of personal data.[12]

The PRC appreciates the opportunity to comment, and we look forward to working with the NTIA and all stakeholders to create enforceable codes of conduct that implement the full Consumer Privacy Bill of Rights.

 

[1] Privacy Rights Clearinghouse, www.privacyrights.org (last visited 3/20/2012).

[2] See World Privacy Forum, www.worldprivacyforum.org (last visited 3/30/2012); Electronic Privacy Information Center, www.epic.org (last visited 3/30/2012). 

[3] The Executive Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, Feb. 23, 2012, available at http://www.whitehouse.gov/sites/default/files/privacy-final.pdf.

[4] See Principles for Multi-Stakeholder Process, World Privacy Forum, Feb. 23, 2012, available at http://www.worldprivacyforum.org/pdf/MultiStakeholderPrinciples2012fs.pdf.

[5] See W3C, http://www.w3.org (last visited 3/30/2012).

[6] Department of Commerce, National Telecommunications and Information Administration, Multistakeholder Process to Develop Consumer Data Privacy Codes of Conduct, Request for Comments, Docket No. 120214135-2135-01, Mar .5, 2012, available at http://www.ntia.doc.gov/files/ntia/publications/fr_privacy_rfc_notice_03052012_0.pdf.   

[7] Id.

[8] Federal Trade Commission, FTC Report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, March 2012, available at http://www.ftc.gov/os/2012/03/120326privacyreport.pdf.

[9] See id. at 68 (a. Special Access Mechanism for Data Brokers).

[10] For more information see, for example, Privacy Rights Clearinghouse, Online Information Brokers and Your Privacy, Feb. 2011, http://www.privacyrights.org/ar/infobrokers.htm; FTC Roundtable Series 1 on: Exploring Privacy, Matter No. P095416, Dec. 7, 2009, at 259 (detailing statements made by Pam Dixon, Executive Director, World Privacy Forum, regarding data brokers and a proposed registry), available at http://www.ftc.gov/bcp/workshops/privacyroundtables/PrivacyRoundtable_Dec2009_Transcript.pdf.  

[11] For more information see, Consumer Federation of America, Consumer Protection in Cloud Computing Services: Recommendations for Best Practices from a Consumer Federation of America Retreat on Cloud Computing, June 2010, available at http://www.consumerfed.org/pdfs/Cloud-report-2010.pdf; Privacy Rights Clearinghouse, The Privacy Implications of Cloud Computing, Mar. 2009, http://www.privacyrights.org/ar/cloud-computing.htm; World Privacy Forum, Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing, Feb. 2009. http://www.worldprivacyforum.org/cloudprivacy.html

 [12] This includes uses that pose the potential to harm individuals in their job-seeking and academic pursuits.