Numerous groups have filed comments in response to the Commerce Department’s December release of and request for comments on a green paper (Commerce pdf here; archive pdf here) on privacy, “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.” In it, the agency included a proposal for a Privacy Protection Office that would reside within the Commerce Department. I have excerpted a few comments from groups below, but all comments can be viewed here.
The Electronic Frontier Foundation filed comments urging the Commerce Department to support the “Do Not Track” proposal, but also questioning “the practical value of the suggested Commerce Department Privacy Protection Office (PPO). We fear that the PPO would divert resources and attention from the [Federal Trade Commission’s] privacy work by effectively creating a second agency process in the same area.”
EFF believes that the Department can most help promote DNT in two ways. First, the Department can support legislation that would clearly authorize the FTC to act on DNT. We expect that the FTC would engage with the ongoing technical efforts to address compliance and other issues. Second, the Department and the Government at large could, without any legislation, “realistically embrace the header as an improved mechanism for tracking opt outs on government sites.” As security and privacy researcher Christopher Soghoian notes, this can both “[a]void the chaos of 100+ different federal agency opt out cookies” and “provid[e] early support for the Do Not Track header at a time when the technology proposal could very much use a boost. […]
Our position on the proposed PPO flows largely from our support for the FTC’s primacy in the privacy area. First, we question any suggestion that the FTC’s role here is or should be limited to enforcement. Policy and enforcement are not easily separated in an area so thoroughly involved with technology issues. Investigation and enforcement action will yield technical information that is highly relevant to policy concerns.
We are also concerned that the PPO multi-stakeholder process will interfere with the FTC’s ability to act in this area, either by creating dual policy tracks or by fragmenting scarce resources. Privacy protection has been difficult even with one lead agency on consumer privacy. […]
We are also skeptical about the Department’s emphasis on “voluntary, enforceable codes of conduct”; we are not sure what it means. We assume that this means codes of conduct voluntarily adopted by companies such that lack of compliance by a company would at a minimum subject that company to FTC enforcement under its Section 5 authority, as well as enforcement by state attorneys general and by private individuals under state laws such as California’s Business & Professions Code § 17200 et seq. Because we support the creation of federal private rights of action, we would also generally preserve such rights of action.
The Center for Digital Democracy and US PIRG has filed comments stating that the Commerce Department “is not structured—either historically or operationally—to operate as a consumer protection agency.”
The Department of Commerce is not positioned to play a leading role formulating and enacting meaningful public policies ensuring that consumers can have trust in the digital marketing environment. One looks in vain, for example, for any reference to consumers—or their privacy—in the department’s Mission Statement, or in its online overview (“About the Department of Commerce”). […]
Given the Department’s orientation—to protect the interests of U.S. business interests before the needs of consumers—it is not surprising that it did not work to ensure the creation of a record that included meaningful consumer and privacy group feedback. The Department’s efforts, in short, stand in sharp contrast to the Federal Trade Commission’s series of privacy roundtables around the country, which developed a record with much greater consumer participation. […]
University of California at Berkeley School of Law lecturer and privacy expert Chris Hoofnagle filed comments urging, among other things, that a private right of action be included in data privacy legislation:
In considering this issue, please note that the options for a private right of action are not binary. Private rights of action could be triggered only where a company fails to honor a safe harbor, or some other condition of responsible use of personal information. The Department may also consider flexible caps on damages, as are contained in the CAN-SPAM Act, which explicitly gives courts discretion to reduce damage awards, and is designed to avoid annihilation liability.
Class action liability is daunting, but it is also important to recognize that courts never impose the 9 and 10-figure damages that are theoretically possible under privacy statutes. Even if they did, the Courtʼs new attention to the substantive due process issues involved in such large damage awards could curtail these damages and make them proportional to the harm proved in the case.
It is also important to consider that without private rights of action, companies may find it efficient to engage in fraud or invade privacy. The politics of enforcement in recent years has led to a landscape where the government may not be able to fine companies enough for harm to the public. For instance, the Toyota car company was recently fined $16.4 million by the Department of Transportation, the largest fine that the agency can levy under the law for concealing information about recalls. It is estimated that Toyota saved $100 million through pursuing a limited recall strategy. […]
In some cases, even very large government fines may not conform behavior to the law. The US government fined Pfizer a staggering $2.3 billion in 2009 for illegal marketing of pharmaceutical drugs. It was the companyʼs fourth settlement with the government since 2003. With annual revenues of almost $56 billion, the fine could be seen as a cost of doing business to Pfizer. Adding a private right of action diversifies enforcement resources, and could address the problem of agency capture or indifference to consumer problems.
Consumer Watchdog filed comments criticizing the Commerce Department’s call for voluntary self-regulation by businesses and explaining that strong privacy protections for consumers will not restrict business innovation.
While the Report should be commended for recommending the adoption of “Fair Information Practices” (FIPs), it falls short in its failure to call for legislation to implement them. Self-regulation simply has not worked. The United States needs a comprehensive federal privacy law based on FIPs and the Department of Commerce should be an advocate for it. […]
The Report appears to assume that strong privacy protections will hinder business innovation. This is not the case. Privacy enhancing technologies have enabled the commercial use of the Internet. For example, were it not for SSL encryption using the HTTPS protocol, it would be impossible to take payments, or to transfer credit card numbers online. The fact of the matter is that commerce is enhanced when consumers have confidence in the entity with which they are doing business. Knowing that that their privacy is protected will build such trust and will prove to be a win-win for consumers and businesses alike. What sort of long-lasting business model can be built on surreptitiously spying on customers?
The Consumer Federation of America filed comments stating that the Commerce Department green paper “misses the mark in how it characterizes the current state of consumer privacy and in its recommendations for how to strengthen it.”
This difference in perspective may be due, to some degree, to the fact that the DOC is not a consumer protection agency. Its mandate is to “advance economic growth and jobs” and its main function is to promote business interests here and abroad. We do not mean this in a pejorative way; that is a valid mandate, and it is clear that the DOC recognizes the importance of consumer trust in the growth of the Internet economy. […]
Throughout the green paper there are statements about the current state of privacy protection in the United States that we do not believe are supportable, e.g. from the Foreword: “Our laws and policies, backed by strong enforcement, provide effective commercial data privacy protections.” In fact, we have very few privacy laws, and contrary to the assertion in the Foreword, these laws do create a fragmented patchwork of protection, covering only specific entities such as financial institutions and health care providers, or very narrow situations such as the passing of consumers’ financial account number for marketing purposes from one company with which consumers have done business online to another online vendor or sharing children’s online data. We have the Federal Trade Commission’s (FTC) Self‐Regulatory Principles for Online Behavioral Advertising and voluntary industry self‐regulatory programs which have proven inadequate to ensure that consumers have real control over the collection and use of their data. If the current regime was effective, there would be no reason to do more.
2. The likely outcome with an office would be better protection of privacy than would occur without the office.
3. The likely outcome with an office would be better achievement of other policy goals than would occur without the office.