A recent article on the Broadcasting & Cable website reported on comments by the Center for Digital Democracy (CDD) to the White House’s National Telecommunications & Information Administration (NTIA) that industry self-regulation has been a failure and that legislation is the only solution to the complex privacy issues we face today.
I would like to share some observations about the issue of privacy and self-regulation. First, privacy is indeed a critically important issue today both with respect to the public sector and private sector. The White House should be applauded for its report on privacy -- a thoughtful and balanced analysis of the issue and potential concerns.
I strongly disagree with the notion that self-regulation has been a failure. Self-regulation, such as the NAI, has helped promote best practices and higher standards for many business models. There is certainly more to be done -- standards need to be raised, the scope of Codes of Conduct need to be expanded, and more companies need to step up to the plate and engage – and I don't think anyone would suggest otherwise. That does not mean self-regulation is a failure, it's an ongoing process.
I am not necessarily opposed to privacy legislation (heresy to say on K Street), but reality and history suggest that it’s not a good bet to rely on Congress to solve privacy issues.
I know from personal experience that the challenges to passing privacy legislation are immense. I am one of the few people who can claim to have drafted an omnibus privacy bill. I drafted the consumer privacy bill when I worked as counsel to the House Energy & Commerce Committee. I can remember the challenges we faced with issues such a preemption, enforcement by the states, private rights of action, exemptions for small business, the scope of rulemaking authority, and how to handle overlap with current privacy regimes like the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the Cable Act, and HIPAA, just to name a few. The reality is that good legislation is nearly impossible after every stakeholder, every Congressional committee with jurisdiction, and every interest group weighs in to protect their interests.
Given that current reality, it would be a mistake to dismiss self-regulation as an important piece of any proposal to address big data and privacy. Even if you’d prefer a comprehensive privacy bill, as CDD Executive Director Jeff Chester does, we should still work together on effective self-regulation. We need self-regulation to continue, and, yes, we need responsible actors in industry to step up to the plate so that we can enjoy the benefits and opportunities presented by big data, while still respecting important values like transparency, consumer choice, and privacy. I'm personally eager to work on those issues with industry, consumer advocates, the FTC, and others.
Finally, I want to mention another issue – I commend the White House for its recent focus on practices that could result in discrimination. It is an important issue that we must tackle as more and more data is collected from a wide range of sources. Last year, NAI became the first self-regulatory body to add into Code of Conduct "sexual orientation" to our definition of "sensitive data" and I hope others in industry follow.
(To read a version of these comments that I posted on the Broadcasting & Cable website, click here.)