MMTC relaunched its Digital Equity Roundtable series with a discussion and workshop on consumer online privacy with guest speaker Travis Hall, Telecommunications Policy Specialist at the National Telecommunications and Information Administration (NTIA), held at Davis Wright Tremaine on September 19th. Since this workshop, NTIA has released a Request for Comment on approaches to consumer privacy.
The way government regulates the internet has significant potential impacts on communities of color, as well as their access, adoption, and informed use. As MMTC has pointed out, cost, digital literacy, and security concerns are still the driving factors in whether consumers adopt broadband at all, as well as the type of broadband service consumers select to use. If consumers perceive certain services to be unsafe because they could put their personal information at risk, they could avoid services that would improve their quality of life, including banking, telehealth, education, searching and applying for jobs, and civic engagement.
MMTC and other leading civil rights organizations have been vocal on this subject, advocating for a robust and uniform set of privacy protections for users no matter where they navigate online. In light of recent government action around this important issue, MMTC focused its recent Digital Equity Roundtable discussion on consumer online privacy.
- The scope and impact of regulation on companies and the difference in regulatory treatment across platforms;
- How the U.S. intends to regulate consumer online privacy and its current status at the state, federal, and legislative levels; the Facebook/Cambridge Analytica incident;
- International online privacy regulations including the Europe Union’s General Data Protection Regulation (GDPR); and
- Why multicultural advocates should be concerned about consumer online privacy and how regulations impact underrpresented communities.
NTIA’s RFC on Developing the Administration’s Approach to Consumer Privacy
Shortly after the discussion, the National Telecommunications and Information Administration (NTIA) released a Request for Comment (RFC) on ways to advance consumer privacy while protecting prosperity and innovation. The RFC takes an approach focused on goals and outcomes, rather than a strict standard, allowing companies flexibility on how they can achieve those goals and outcomes.
NTIA’s Suggested User-Centric Privacy Outcomes
- (1) Transparency (company collection, storage, use, and sharing practices of personal data should be easily understandable by users)
- (2) Control (companies should offer users reasonable control over collection, use, storage, and disclosure of their PII, based on context such as sensitivity of the information and user expectations)
- (3) Reasonable Minimization (of data collection, storage length, use, and sharing)
- (4) Security (companies that collect, store, use, or share PII should employ security safeguards at all stages)
- (5) Access and Correction (users should have the ability to access, rectify, complete, amend, or delete personal data)
- (6) Risk Management (by organizations to mitigate risk of harmful uses or exposure of personal data)
- (7) Accountability (including steps to ensure 3rd-party vendors and servicers are accountable for their use, storage, processing, and sharing of data)
NTIA’s Suggested High-Level Goals for Federal Action
- (1) Harmonize the Regulatory Landscape (currently a patchwork of state and federal statutes; need to avoid duplicative and contradictory privacy-related obligations on organizations)
- (2) Legal Clarity While Maintaining the Flexibility to Innovate (clear rules that enable flexibility to innovate and use a variety of methods to achieve privacy outcomes; also should maintain U.S. position as an international leader in innovation and privacy)
- (3) Comprehensive Application (consumer privacy action would apply to all private sector orgs that collect, store, use, or share personal data in activities not covered by sectoral laws; application of risk and outcome-based approaches would address differences between business models and technologies)
- (4) Employ a Risk- and Outcome-Based Approach (regulations based on risk-modeling and user-centric outcomes rather than a compliance model that creates cumbersome red tape)
- (5) Interoperability (U.S. regulatory landscape approach should be consistent with international norms and frameworks)
- (6) Incentivize Privacy Research (including understanding user preferences, concerns, and difficulties, as well as impact on legal obligations by 3rd parties and ability of 3rd parties to exercise other rights provided by law)
- (7) FTC Enforcement (affirms FTC’s role as the appropriate agency to enforce consumer privacy, with exceptions outside FTC jurisdiction such as HIPAA; importance of steps to ensure FTC has necessary resources, authority, and direction to enforce laws)
- (8) Scalability (consumer protection outcomes should be deployed in proportion to the scale and scope of information an organization is handling; small businesses that collect little personal information should not be primary targets of privacy-enforcement activity)
RFC Comments and Privacy Impacts on Communities of Color
As mentioned, there are several considerations that should be taken with regard to communities of color when developing consumer online privacy policy. Might certain standards be too onerous for small, diverse businesses? How would consumers’ personal data be protected? Are there additional privacy policy outcomes and goals that should be included with a focus on communities of color? What are the potential impacts the outcomes and goals would have on communities of color?
Comments in response to NTIA’s RFC are due November 9th. MMTC welcomes other advocacy and civil rights organizations to sign on to our comments or share their thoughts with us on some of the questions above. Contact Marcella Gadson, mgadson [at] mmtconline [dot] org for more information.