My letter to the NTIA concerning the Administration’s Approach to Consumer Privacy

The deadline for submitting comments on the National Telecommunications and Information Administration’s (NTIA) proposed approach for federal privacy law was extended recently to November 9, 2018.

Here’s what I submitted to the NTIA this morning. It’s not too late for you to do the same.

Re: Docket 180821780-8780-01
Federal Register Vol. 83, No. 187, p. 48600 – 48603
Developing the Administration’s Approach to Consumer Privacy

To Whom It May Concern:

Thank you for providing the opportunity to comment on the Administration’s proposed approach to consumer privacy. I have a few concerns I wish to raise.

1. Concerning Section I.B(4) – the Self-Regulatory Approach Proposed

It is not completely clear whether the approach detailed in the RFC would lead to federal law governing the collection, storage, use and sharing of consumer information, or merely to voluntary guidelines. Since the RFC cited both the NIST “voluntary risk-based Privacy Framework” as well as the self-regulatory Fair Information Practice Principles (FIPP), one could conclude that the NTIA is proposing a voluntary approach. This is important and should be clarified.

Assuming a voluntary approach is being proposed, the Administration should re-review the findings of the FTC “Privacy Online” report to Congress in June of 1998. The FTC concluded, with respect to FIPP, that:

To date, industry has had only limited success in implementing fair information practices and adopting self-regulatory regimes with respect to the online collection, use, and dissemination of personal information.

It is out of the limited success of these self-regulatory regimes that laws like the Children’s Online Privacy Protection Act of 1998 came to be and, more recently, that individual states have enacted non-voluntary regulations like the California Consumer Privacy Act of 2018.

It is noteworthy that although FIPP recommends that consumers should be given notice of information practices before any personal information is collected from them, that it wasn’t until the enactment of the EU’s General Data Protection Regulation in 2018 that such notices were added to the online sites of many U.S. based businesses.

Therefore, it is not clear that proposing voluntary principles would be any more effective than past attempts at leaving the tech industry to regulate itself with respect to user privacy. It is not clear that this would further consumer trust, which as the RFC states “is at the core fo the United State’s privacy policy formation” and which the NTIA concluded, twenty years after the FTC “Privacy Online” report, that “Most Americans Continue to Have Privacy and Security Concerns, NTIA Survey Finds” (NTIA Blog, August 2018).

2. Concerning Section I.B(1) – Regulatory Harmonization

This section seems to suggest that the Administration will be seeking to preempt the privacy regulations enacted independently in states like California and Vermont with voluntary principles. This is important and should be clarified.

Although the RFC makes a valid point about the added burden incurred by businesses to respect the various regulations in each of the states in which they do business, preempting state regulations with federal voluntary principles will undermine the trust that is just beginning to be re-built between consumers and businesses in states with new privacy regulations on the books.

If the Administration is to craft preemptive law, it would be better for it to be a non-voluntary regulatory framework that leverages some or all of the requirements of California Consumer Privacy Act of 2018 and the Vermont Data Broker Law of 2018.

Further, similarly, it is not clear whether the “Risk Management” outcome (Section I.A(6)) is intended to preempt states’ data breach disclosure laws. If so, then a non-voluntary regulatory framework (with the state laws informing a minimum) is far more likely to be effective at increasing consumer trust than stripping states’ breach notification protections.

3. Response to Section II.G – “Are there… any outcomes or high-level goals in this document that would be detrimental to achieving the goal of achieving U.S. leadership?”

Although the outcomes enumerated in section I.B of the RFC (e.g. transparency, control, minimization, security, access and correction, etc.) laudably mirror recently enacted privacy regulation abroad and within, I believe relying on voluntary principles being adopted by industry and preempting state law would, instead, directly undermine the goal of achieving U.S. leadership in online privacy.

Thank you for taking these concerns into consideration.


Allen Snook
WordPress Core Contributor for Privacy
26 years professional experience in engineering, software development and management
Alumni, Virginia Polytechnic Institute and State University, BSEE

US NTIA Privacy Request for Comments

Today, the United States Department of Commerce National Telecommunications and Information Administration (NTIA) invited the public to comment on the Trump administration’s proposed approach to federal privacy policy.

This is a unique opportunity for privacy professionals to weigh in on the policies and laws that affect many of us and our work, not just in the United States of America, but worldwide.

Tick, tock! Comments are open until October 26, 2018.

A complete copy of the proposal is available from the Federal Register at and more information is available on the NTIA website at

MIT has a great article on commenting on pending legislation here:

I’ll post my comments here in a follow on post once I assemble them.