Lack of federal data privacy legislation leaves US agencies to provide guidance | Thomson Reuters Regulatory Intelligence and Compliance Learning


[author: Rita Esposito]

With the US government being slow to enact any major federal data privacy policy, the gap is being filled by state legislatures and various federal agencies

Navigating the choppy waters of US federal data privacy policy can be difficult, primarily because a lack of policy development on the federal level has led to state — rather than federal — legislatures taking the lead on recent consumer privacy laws.

Five US states in particular can be seen as leaders: California, Virginia, Utah, Connecticut, and Colorado. Although their approaches to data privacy are not identical, provisions adopted by these five address issues such as information sharing, opting-out, and changing what data is collected. Further, additional pending legislation exists in other states.

Comparisons among state statutes aside, the lesson to be learned is that state legislation is being enacted in recognition that consumers want their data privacy protected and they want a legal framework built to ensure that protection.

On the federal side, things have progressed in a start-stop fashion. Although there has been some discussion in Congress on new potential legislation — with one or two potential measures showing prospects — most recent efforts on Capitol Hill have made little progress over the last two decades as technology and privacy concerns have gotten more complex. That leaves the executive branch agencies, such as the Federal Trade Commission (FTC), as the main official resource for guidance on federal data privacy policy.

The FTC has a long history. Created in 1915, the FTC’s mission is to protect consumers and promote competition. As a result of the Privacy Act of 1974, the agency reorganized its own system of records. One of its most well-known collection of records is the do-not-call-list, which maintains records of the phone numbers of persons who do not wish to receive telemarketing calls. The FTC also began in the 1970s enforcing the Fair Credit Reporting Act, which governs the information collected by credit reporting agencies. Although some of its fair-credit rulemaking authority was transferred to the Consumer Financial Protection Bureau upon its creation in the 2010 Dodd-Frank Act, the FTC has for decades been the main enforcer of privacy laws.

Businesses often can begin at the FTC website for FTC guidance when assessing compliance with federal laws. The FTC has additional information covering disciplines including advertising and marketing, credit and finance, privacy and security; it also covers industry sectors, ranging from funerals to finance, real estate and mortgages. Touting the use of plain-language, the FTC works to help businesses understand and comply with the law. Additionally, the FTC investigates and mitigates privacy incidents; and it also has indexed guidance documents which can clarify policy and offer advice, although they do not have the force and effect of law behind them.

The FTC weighs in on international matters as well, such as litigation on the Privacy Shield Framework. As a result of NTT Global Data Centers administrative litigation which involved noncompliance with the EU-US Privacy Data Shield, the FTC set out four compliance tips for companies that were transferring their consumer data from Europe to the United States. These tips included: i) keep Privacy Statements current; ii) if participating, honor the provisions; iii) maintain certification; and iv) follow the withdrawal procedures if withdrawal is chosen.

By accessing the FTC website, businesses can begin researching some of the privacy issues that companies face every day, and the site can become a regular resource for staying abreast of issues and for amending practices in order to remain compliant with federal law.

Providing guidance on COPPA

In another example, the FTC provides guidance on how the Children’s Online Privacy Protection Act (COPPA) applies to the collection of personal information gathered from children under 13 years of age. In particular, COPPA covers operatorsi.e., any person operating a website located on the Internet or an online service that collects or maintains personal information from or about the users or visitors.

COPPA applies not only to game sites, educational sites, and online social media companies, it also applies to anyone who markets to children and collects information about them. Modern children carry phones, have debit cards, explore apps, and are more comfortable using technology, which almost always involves the collection of user data. How information about them is shared and distributed is subject to strict requirements under COPPA. In a bulletin to chief executive officers and compliance officers of all national banks, department and division heads, and to all examining personnel, the Office of the Comptroller of the Currency (OCC) stated:

The COPPA, which is effective April 21, 2000, prohibits unfair or deceptive acts or practices in connection with the collection, use/or disclosure of personal information from and about children on the Internet. The COPPA and the final rule [issued by the FTC] apply to national banks. In addition, section 1306 of the COPPA gives the OCC enforcement responsibility. Examination procedures, currently being developed, will provide further guidance.

The FTC has a six-step compliance plan for COPPA, and one of those steps is for a company covered by COPPA to have a privacy policy on its company website, to post a link to it, and to include information such as:

  • a list of all operators (such as advertising network) collecting personal information;
  • a description of the personal information and how it is used;
  • a description of parental rights explaining that only reasonably necessary information is required; parents can review that information, direct its deletion, and refuse any further collection of the information. (Note that parents can disallow disclosure of collected information to third parties such as social networks); and
  • procedures to permit parents to exercise their rights.

Additionally, the FTC provides a chart for specific, narrow exceptions to COPPA’s consent mandate.

For those looking to ensure compliance with privacy or other government requirements, the FTC website can be helpful as an early step in the process. In addition, as law in an area develops, monitoring the site for agency interpretation and guidance can save time, energy, and resources in the quest to broaden understanding of the rules that apply in an ever-changing technological landscape.

[View source.]