83 FR 48600 - Developing the Administration's Approach to Consumer Privacy
DEPARTMENT OF COMMERCE
National Telecommunications and Information Administration Federal Register Volume 83, Issue 187 (September 26, 2018)
National Telecommunications and Information Administration
Federal Register Volume 83, Issue 187 (September 26, 2018)
| Page Range | 48600-48603 | |
| FR Document | 2018-20941 |
[Federal Register Volume 83, Number 187 (Wednesday, September 26, 2018)] [Notices] [Pages 48600-48603] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2018-20941] ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE National Telecommunications and Information Administration [Docket No. 180821780-8780-01] RIN 0660-XC043 Developing the Administration's Approach to Consumer Privacy AGENCY: National Telecommunications and Information Administration, U.S. Department of Commerce. ACTION: Notice; request for public comments. ----------------------------------------------------------------------- SUMMARY: On behalf of the U.S. Department of Commerce, the National Telecommunications and Information Administration (NTIA) is requesting comments on ways to advance consumer privacy while protecting prosperity and innovation. NTIA is seeking public comments on a proposed approach to this task that lays out a set of user-centric privacy outcomes that underpin the protections that should be produced by any Federal actions on consumer-privacy policy, and a set of high- level goals that describe the outlines of the ecosystem that should be created to provide those protections. DATES: Comments must be received by 11:59 p.m. Eastern Daylight Time on October 26, 2018. ADDRESSES: Written comments identified by Docket No. 180821780-8780-01 may be submitted by email to [email protected]. Comments submitted by email should be machine-readable and should not be copy- protected. Written comments also may be submitted by mail to the National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue NW, Room 4725, Attn: Privacy RFC, Washington, DC 20230. FOR FURTHER INFORMATION CONTACT: Travis Hall, Telecommunications Policy Analyst, Office of Policy Analysis and Development, National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue NW, Room 4725, Washington, DC 20230; telephone: 202-482-3522; email: [email protected]. For media inquiries: Anne Veigle, Director, Office of Public Affairs, National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue NW, Room 4897, Washington, DC 20230; telephone: (202) 482-7002; email: [email protected]. SUPPLEMENTARY INFORMATION: I. Background The U.S. Department of Commerce (Department) requests comment on ways to advance consumer privacy while protecting prosperity and innovation. Every day, individuals interact with an array of products and services, many of which have become integral to their daily lives. Often, especially in the digital environment, these products and services depend on the collection, retention, and use of personal data about their users. Users must therefore trust that organizations will respect their interests, understand what is happening with their personal data, and decide whether they are comfortable with this exchange. Trust is at the core of the United States' privacy policy formation. Through this Request for Comment (RFC), the Administration will determine the best path toward protecting individual's privacy while fostering innovation. The time is ripe for this Administration to provide the leadership needed to ensure that the United States remains at the forefront of enabling innovation with strong privacy protections. A growing number of foreign countries, and some U.S. states, have articulated distinct visions for how to address privacy concerns, leading to a nationally and globally fragmented regulatory landscape. Such fragmentation naturally disincentivizes innovation by increasing the regulatory costs for products that require scale. The Administration hopes to articulate a renewed vision, one that reduces fragmentation nationally and increases harmonization and interoperability nationally and globally. Further, changes in the way personal information is used by organizations, and how users interact with the products and services with which they frequently engage, have increased the belief that users are losing control over their personal information. As seen in data collected by the National Telecommunications and Information Administration (NTIA), at least a third of online households have been deterred from certain forms of online activity, such as financial transactions, due to privacy and security concerns.\1\ The Administration takes these concerns seriously and believes that users should be able to benefit from dynamic uses of their information, while still expecting organizations will appropriately minimize risks to users' privacy. Risk-based flexibility is therefore at the heart of the approach the Administration is requesting comment on in this RFC. We are mindful of the potential impact of a solution on small and mid- sized businesses, and we will be looking for solutions that support their continued ability to innovate and support economic growth. --------------------------------------------------------------------------- \1\ NTIA Blog, ``Most Americans Continue to Have Privacy and Security Concerns, NTIA Survey Finds'' (Aug. 20, 2018), https://www.ntia.doc.gov/blog/2018/most-americans-continue-have-privacy-and-security-concerns-ntia-survey-finds. --------------------------------------------------------------------------- The United States has a history of providing strong protections for privacy dating back to 1789, with the drafting of our Bill of Rights, including the Fourth Amendment. The United States also has been a leader in developing privacy norms, be it through the development of what ultimately became known as the Fair Information Practice Principles (FIPPs) in the 1970's, or through the strongest privacy enforcement regime in the world. For users of products and services in several sectors (e.g., healthcare, education, financial services), specific laws cover how organizations handle personal information. Where no sector-specific laws apply, the Federal Trade Commission (FTC) has the authority to ensure that organizations are not deceiving consumers or operating unfairly. In all respects, the United [[Page 48601]] States has successfully investigated and taken enforcement actions against organizations that violate these existing Federal laws. This RFC asks how best to strengthen the protections users currently enjoy; it does not propose changing current sectoral federal laws.\2\ --------------------------------------------------------------------------- \2\ These sectoral laws include, but are not limited to, the Children's Online Privacy and Protection Act, Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), and the Fair Credit Reporting Act. --------------------------------------------------------------------------- This RFC is the outcome of an interagency process led by the National Economic Council (NEC) of the United States. NTIA has worked in coordination with the International Trade Administration (ITA) to ensure consistency with international policy objectives, and in parallel with the work of the National Institute of Standards and Technology (NIST) in developing a voluntary risk-based Privacy Framework as an enterprise risk management tool for organizations. In developing this RFC, the Department conducted significant outreach to a diverse set of individuals and organizations, including a broad range of industries, academics, and civil society organizations. These meetings helped to shape this Administration's proposed general approach to privacy, described below. This approach is divided into two parts: (1) A set of user-centric privacy outcomes that underpin the protections that should be produced by any Federal actions on consumer-privacy policy, and (2) a set of high-level goals that describe the outlines of the ecosystem that should be created to provide those protections. This Administration is approaching this subject with humility, an understanding of the complexity of the issues at hand, and a commitment to a transparent process. As such, this RFC does not call for the creation of a statutory standard. Rather, it is looking to commenters to respond with details as to how these privacy outcomes and goals can be achieved. These comments will help to inform future Administration policy, actions, and engagement on consumer privacy.\3\ --------------------------------------------------------------------------- \3\ This Request for Comment is focused solely on private collection, use, storage, and sharing of personal data. It does not address lawful government access to such data. --------------------------------------------------------------------------- A. Privacy Outcomes Principle-based approaches to privacy, particularly when written to be operationalized, often encapsulate the desired outcome and the means used to achieve this outcome. For example, the consent of an informed user is the end-goal of most approaches to consumer privacy, but in order to create legal clarity, this principle is implemented by mandating notice and choice. To date, such mandates have resulted primarily in long, legal, regulator-focused privacy policies and check boxes, which only help a very small number of users who choose to read these policies and make binary choices. The Administration is instead proposing that discussion of consumer privacy in the United States refocus on the outcomes of organizational practices, rather than on dictating what those practices should be. The desired outcome is a reasonably informed user, empowered to meaningfully express privacy preferences, as well as products and services that are inherently designed with appropriate privacy protections, particularly in business contexts in which relying on user intervention may be insufficient to manage privacy risks. Using a risk- based approach, the collection, use, storage, and sharing of personal data should be reasonable and appropriate to the contex. Similarly, user transparency, control, and access should be reasonable and appropriate relative to context. This outcome underpins many of the principle-based approaches, including the FIPPs. The Administration is proposing that these outcomes be operationalized through a risk- management approach, one that affords organizations flexibility and innovation in how to achieve these outcomes. Protecting both privacy and innovation requires balancing flexibility with the need for legal clarity and strong consumer protections. Being overly prescriptive can result in compliance checklists that stymie innovative privacy solutions. In addition, a prescriptive approach does not necessarily provide measurable privacy benefits. An outcome-based approach emphasizes flexibility, consumer protection, and legal clarity can be achieved through mechanisms that focus on managing risk and minimizing harm to individuals arising from the collection, storage, use, and sharing of their information. The following outcomes are provided to spur comments, discussion, and engagement on how best to achieve user-centric privacy outcomes in a manner that is both flexible and clear, not to propose the text of a legal standard. They should be read as a set of inputs for building better privacy protections into products and services. For example, Access and Correction (item 5, below) is not an abstract requirement. Rather, organizations should consider the overall context in which the product or service operates, including the purpose of the product or service, the privacy risks that the product or service may be creating, other means of mitigating these privacy risks, the impact of access and correction on other organizational risks, and other relevant factors, in order to determine the degree or manner in which access and correction could help achieve a user-centric privacy outcome without creating needless costs. 1. Transparency. Users should be able to easily understand how an organization collects, stores, uses, and shares their personal information. Transparency can be enabled through various means. Organizations should take into account how the average user interacts with a product or service, and maximize the intuitiveness of how it conveys information to users. In many cases, lengthy notices describing a company's privacy program at a consumer's initial point of interaction with a product or service does not lead to adequate understanding. Organizations should use approaches that move beyond this paradigm when appropriate. 2. Control. Users should be able to exercise reasonable control over the collection, use, storage, and disclosure of the personal information they provide to organizations. However, which controls to offer, when to offer them, and how they are offered should depend on context, taking into consideration factors such as a user's expectations and the sensitivity of the information. The controls available to users should be developed with intuitiveness of use, affordability, and accessibility in mind, and should be made available in ways that allow users to exercise informed decision-making. In addition, controls used to withdraw the consent of, or to limit activity previously permitted by, a consumer should be as readily accessible and usable as the controls used to permit the activity. 3. Reasonable Minimization. Data collection, storage length, use, and sharing by organizations should be minimized in a manner and to an extent that is reasonable and appropriate to the context and risk of privacy harm. Other means of reducing the risk of privacy harm (e.g., additional security safeguards or privacy enhancing techniques) can help to reduce the need for such minimization. 4. Security. Organizations that collect, store, use, or share personal information should employ security safeguards to secure these data. Users should be able to expect that their data are protected from loss and unauthorized access, destruction, use, modification, and disclosure. Further, organizations should take reasonable security [[Page 48602]] measures appropriate to the level of risk associated with the improper loss of, or improper access to, the collected personal data; they should meet or ideally exceed current consensus best practices, where available. Organizations should secure personal data at all stages, including collection, computation, storage, and transfer of raw and processed data. 5. Access and Correction. Users should have qualified access personal data that they have provided, and to rectify, complete, amend, or delete this data. This access and ability to correct should be reasonable, given the context of the data flow, appropriate to the risk of privacy harm, and should not interfere with an organization's legal obligations, or the ability of consumers and third parties to exercise other rights provided by the Constitution, and U.S. law, and regulation. 6. Risk Management. Users should expect organizations to take steps to manage and/or mitigate the risk of harmful uses or exposure of personal data. Risk management is the core of this Administration's approach, as it provides the flexibility to encourage innovation in business models and privacy tools, while focusing on potential consumer harm and maximizing privacy outcomes. 7. Accountability. Organizations should be accountable externally and within their own processes for the use of personal information collected, maintained, and used in their systems. As described below in the High-Level Goals for Federal Action section, external accountability should be structured to incentivize risk and outcome- based approaches within organizations that enable flexibility, encourage privacy-by-design, and focus on privacy outcomes. Organizations that control personal data should also take steps to ensure that their third-party vendors and servicers are accountable for their use, storage, processing, and sharing of that data. B. High-Level Goals for Federal Action The Administration is also looking to gather feedback on the following high-level goals for Federal action. These goals should be understood as setting the broad outline for the direction that Federal action should take, in addition to comments on the goals, we are also looking for comments with details as to how these goals can be achieved. Below is a non-exhaustive and non-prioritized list of the Administration's priorities. We understand that there is considerable work to be done to achieve these goals. 1. Harmonize the regulatory landscape. While the sectoral system provides strong, focused protections and should be maintained, there is a need to avoid duplicative and contradictory privacy-related obligations placed on organizations. We are actively witnessing the production of a patchwork of competing and contradictory baseline laws. This emerging patchwork harms the American economy and fails to improve privacy outcomes for individuals, who may be unaware of what their privacy protections are, and who may not have equal protections, depending on where the user lives. Steps need to be taken to ensure that the regulatory landscape for organizations that process personal data in the United States remains flexible, strong, predictable, and harmonized. 2. Legal clarity while maintaining the flexibility to innovate. The ideal end-state would ensure that organizations have clear rules that provide for legal clarity, while enabling flexibility that allows for novel business models and technologies, as well as the means to use a variety of methods to achieve consumer-privacy outcomes. The Administration understands that balancing legal clarity, flexibility, and consumer privacy requires compromise and creative thinking. It is in striking this balance, however, that the United States has been able to maintain international leadership in both innovation and privacy enforcement, and any future action should strive to create a system that to the greatest extent possible maximizes each. 3. Comprehensive application. Any action addressing consumer privacy should apply to all private sector organizations that collect, store, use, or share personal data in activities that are not covered by sectoral laws. The differences between business models and technologies used should be addressed through the application of a risk and outcome-based approach, which would allow for similar data practices in similar context to be treated the same rather than through a fragmented regulatory approach. 4. Employ a risk and outcome-based approach. Instead of creating a compliance model that creates cumbersome red tape--without necessarily achieving measurable privacy protections--the approach to privacy regulations should be based on risk modeling and focused on creating user-centric outcomes. Risk-based approaches allow organizations the flexibility to balance business needs, consumer expectations, legal obligations, and potential privacy harms, among other inputs, when making decisions about how to adopt various privacy practices. Outcome- based approaches also enable innovation in the methods used to achieve privacy goals. Risk and outcome-based approaches have been successfully used in cybersecurity, and can be enforced in a way that balances the needs of organizations to be agile in developing new products, services, and business models with the need to provide privacy protections to their customers, while also ensuring clarity in legal compliance. 5. Interoperability. The growth and advancement of the internet- enabled economy depends on personal information moving seamlessly across borders. However, the Administration recognizes that governments approach consumer privacy differently, creating the need for mechanisms to bridge differences, while ensuring personal data remains protected. The Administration should therefore seek to reduce the friction placed on data flows by developing a regulatory landscape that is consistent with the international norms and frameworks in which the United States participates, such as the APEC Cross-Border Privacy Rules System. 6. Incentivize privacy research. The U.S. Government should encourage more research into, and development of, products and services that improve privacy protections. These technologies and solutions will include measures built into system architectures or product design to mitigate privacy risks, as well as usability features at the user- interface level. These innovations require more research into understanding user preferences, concerns, and difficulties, as well as an understanding of the impact on legal obligations of third parties and the ability of third parties to exercise other rights provided by law. Privacy research will inform the development of standards frameworks, models, methodologies, tools, and products that enhance privacy. 7. FTC enforcement: Given its history of effectiveness, the FTC is the appropriate federal agency to enforce consumer privacy with certain exceptions made for sectoral laws outside the FTC's jurisdiction, such as HIPAA. It is important to take steps to ensure that the FTC has the necessary resources, clear statutory authority, and direction to enforce consumer privacy laws in a manner that balances the need for strong consumer protections, legal clarity for organizations, and the flexibility to innovate. 8. Scalability: The Administration should ensure that the proverbial sticks [[Page 48603]] used to incentivize strong consumer privacy outcomes are deployed in proportion to the scale and scope of the information an organization is handling. In general, small businesses that collect little personal information and do not maintain sensitive information about their customers should not be the primary targets of privacy-enforcement activity, so long as they make good-faith efforts to utilize privacy protections. Similarly, there should be a distinction between organizations that control personal data and third-party vendors that merely process that personal data on behalf of other organizations. Just as organizations should employ outcome-based approaches when developing privacy protections for their customers, the government should do the same with its approach to privacy enforcement and compliance. II. Request for Comment A. Through this RFC, the Department is first seeking feedback on what it believes are the core privacy outcomes that consumers can expect from organizations. 1. Are there other outcomes that should be included, or outcomes that should be expanded upon as separate items? 2. Are the descriptions clear? Beyond clarity, are there any issues raised by how any of the outcomes are described? 3. Are there any risks that accompany the list of outcomes, or the general approach taken in the list of outcomes? B. The Department is also seeking feedback on the proposed high- level goals for an end-state for U.S. consumer-privacy protections. 1. Are there other goals that should be included, or outcomes that should be expanded upon? 2. Are the descriptions clear? Beyond clarity, are there any issues raised by how the issues are described? 3. Are there any risks that accompany the list of goals, or the general approach taken by the Department? C. The Department is seeking comments that describe what the next steps and measures the Administration should take to effectuate the previously discussed user-centric privacy outcomes, and to achieve an end-state in line with the high-level goals. In particular: 1. Are there any aspects of this approach that could be implemented or enhanced through Executive action, for example, through procurement? Are there any non-regulatory actions that could be undertaken? If so, what actions should the Executive branch take? 2. Should the Department convene people and organizations to further explore additional commercial data privacy-related issues? If so, what is the recommended focus and desired outcomes? 3. What aspects of the Department's proposed approach to consumer privacy, if any, are best achieved via other means? Are there any recommended statutory changes? D. The Department understands that some of the most important work in establishing privacy protections lies within the definitions of key terms, and seeks comments on the defintions. In particular: 1. Do any terms used in this document require more precise definitions? 2. Are there suggestions on how to better define these terms? 3. Are there other terms that would benefit from more precise definitions? 4. What should those definitions be? E. One of the high-level end-state goals is for the FTC to continue as the Federal consumer privacy enforcement agency, outside of sectoral exceptions beyond the FTC's jurisdiction. In order to achieve the goals laid out in this RFC, would changes need to be made with regard to the FTC's resources, processes, and/or statutory authority? F. If all or some of the outcomes or high-level goals described in this RFC were replicated by other countries, do you believe it would be easier for U.S. companies to provide goods and services in those countries? G. Are there other ways to achieve U.S. leadership that are not included in this RFC, or any outcomes or high-level goals in this document that would be detrimental to achieving the goal of achieving U.S. leadership? Instructions for Commenters This is a general solicitation of comments from the public. We invite comments on the full range of questions presented by this RFC and on issues that are not specifically raised. Commenters are encouraged to address any or all of the questions above. Comments that contain references to specific court cases, studies, and/or research should include copies of the referenced materials along with the submitted comments. Commenters should include the name of the person or organization filing the comment, as well as a page number on each page of the submissions. All comments received are a part of the public record and will generally be posted on the NTIA website, www.ntia.doc.gov/privacyrfc2018, without change. All personal identifying information (for example, name or address) voluntarily submitted by the commenter may be publicly accessible. Do not submit confidential business information or otherwise sensitive or protected information. Dated: September 21, 2018. David J. Redl, Assistant Secretary for Communications and Information, National Telecommunications and Information Administration. [FR Doc. 2018-20941 Filed 9-25-18; 8:45 am] BILLING CODE 3510-60-P
![48600 Federal Register / Vol. 83, No. 187 / Wednesday, September 26, 2018 / Notices
Estimated Total Annual Burden outlines of the ecosystem that should be foreign countries, and some U.S. states,
Hours: 150 hours. created to provide those protections. have articulated distinct visions for how
Estimated Total Annual Cost to DATES: Comments must be received by to address privacy concerns, leading to
Public: $0 in capital and reporting/ 11:59 p.m. Eastern Daylight Time on a nationally and globally fragmented
recordkeeping costs. October 26, 2018. regulatory landscape. Such
ADDRESSES: Written comments fragmentation naturally disincentivizes
IV. Request for Comments innovation by increasing the regulatory
identified by Docket No. 180821780–
Comments are invited on: (a) Whether 8780–01 may be submitted by email to costs for products that require scale. The
the proposed collection of information privacyrfc2018@ntia.doc.gov. Comments Administration hopes to articulate a
is necessary for the proper performance submitted by email should be machine- renewed vision, one that reduces
of the functions of the agency, including readable and should not be copy- fragmentation nationally and increases
whether the information shall have protected. Written comments also may harmonization and interoperability
practical utility; (b) the accuracy of the be submitted by mail to the National nationally and globally.
agency’s estimate of the burden Further, changes in the way personal
Telecommunications and Information
(including hours and cost) of the information is used by organizations,
Administration, U.S. Department of
proposed collection of information; (c) and how users interact with the
Commerce, 1401 Constitution Avenue
ways to enhance the quality, utility, and products and services with which they
NW, Room 4725, Attn: Privacy RFC,
clarity of the information to be frequently engage, have increased the
Washington, DC 20230.
collected; and (d) ways to minimize the belief that users are losing control over
FOR FURTHER INFORMATION CONTACT: their personal information. As seen in
burden of the collection of information
Travis Hall, Telecommunications Policy data collected by the National
on respondents, including through the
Analyst, Office of Policy Analysis and Telecommunications and Information
use of automated collection techniques
Development, National Administration (NTIA), at least a third
or other forms of information
Telecommunications and Information of online households have been deterred
technology.
Administration, U.S. Department of from certain forms of online activity,
Comments submitted in response to
Commerce, 1401 Constitution Avenue such as financial transactions, due to
this notice will be summarized and/or
NW, Room 4725, Washington, DC privacy and security concerns.1 The
included in the request for OMB
20230; telephone: 202–482–3522; email: Administration takes these concerns
approval of this information collection;
thall@ntia.doc.gov. seriously and believes that users should
they also will become a matter of public For media inquiries: Anne Veigle,
record. be able to benefit from dynamic uses of
Director, Office of Public Affairs, their information, while still expecting
Dated: September 20, 2018. National Telecommunications and organizations will appropriately
Sarah Brabson, Information Administration, U.S. minimize risks to users’ privacy. Risk-
NOAA PRA Clearance Officer. Department of Commerce, 1401 based flexibility is therefore at the heart
[FR Doc. 2018–20850 Filed 9–25–18; 8:45 am] Constitution Avenue NW, Room 4897, of the approach the Administration is
BILLING CODE 3510–JE–P Washington, DC 20230; telephone: (202) requesting comment on in this RFC. We
482–7002; email: press@ntia.doc.gov. are mindful of the potential impact of a
SUPPLEMENTARY INFORMATION: solution on small and mid-sized
DEPARTMENT OF COMMERCE businesses, and we will be looking for
I. Background
solutions that support their continued
National Telecommunications and The U.S. Department of Commerce ability to innovate and support
Information Administration (Department) requests comment on economic growth.
ways to advance consumer privacy The United States has a history of
[Docket No. 180821780–8780–01] while protecting prosperity and providing strong protections for privacy
innovation. Every day, individuals dating back to 1789, with the drafting of
RIN 0660–XC043 interact with an array of products and our Bill of Rights, including the Fourth
Developing the Administration’s services, many of which have become Amendment. The United States also has
Approach to Consumer Privacy integral to their daily lives. Often, been a leader in developing privacy
especially in the digital environment, norms, be it through the development of
AGENCY: National Telecommunications these products and services depend on what ultimately became known as the
and Information Administration, U.S. the collection, retention, and use of Fair Information Practice Principles
Department of Commerce. personal data about their users. Users (FIPPs) in the 1970’s, or through the
ACTION: Notice; request for public must therefore trust that organizations strongest privacy enforcement regime in
comments. will respect their interests, understand the world. For users of products and
what is happening with their personal services in several sectors (e.g.,
SUMMARY: On behalf of the U.S. data, and decide whether they are healthcare, education, financial
Department of Commerce, the National comfortable with this exchange. Trust is services), specific laws cover how
Telecommunications and Information at the core of the United States’ privacy organizations handle personal
Administration (NTIA) is requesting policy formation. Through this Request information. Where no sector-specific
comments on ways to advance for Comment (RFC), the Administration laws apply, the Federal Trade
consumer privacy while protecting will determine the best path toward Commission (FTC) has the authority to
prosperity and innovation. NTIA is protecting individual’s privacy while ensure that organizations are not
daltland on DSKBBV9HB2PROD with NOTICES
seeking public comments on a proposed fostering innovation. deceiving consumers or operating
approach to this task that lays out a set The time is ripe for this unfairly. In all respects, the United
of user-centric privacy outcomes that Administration to provide the
underpin the protections that should be leadership needed to ensure that the 1 NTIA Blog, ‘‘Most Americans Continue to Have
produced by any Federal actions on United States remains at the forefront of Privacy and Security Concerns, NTIA Survey
Finds’’ (Aug. 20, 2018), https://www.ntia.doc.gov/
consumer-privacy policy, and a set of enabling innovation with strong privacy blog/2018/most-americans-continue-have-privacy-
high-level goals that describe the protections. A growing number of and-security-concerns-ntia-survey-finds.
VerDate Sep<11>2014 19:21 Sep 25, 2018 Jkt 244001 PO 00000 Frm 00016 Fmt 4703 Sfmt 4703 E:\FR\FM\26SEN1.SGM 26SEN1](https://thefederalregister.org/doc/83_FR_48787/page/1.svg)
![Federal Register / Vol. 83, No. 187 / Wednesday, September 26, 2018 / Notices 48603
used to incentivize strong consumer explore additional commercial data publicly accessible. Do not submit
privacy outcomes are deployed in privacy-related issues? If so, what is the confidential business information or
proportion to the scale and scope of the recommended focus and desired otherwise sensitive or protected
information an organization is handling. outcomes? information.
In general, small businesses that collect 3. What aspects of the Department’s Dated: September 21, 2018.
little personal information and do not proposed approach to consumer David J. Redl,
maintain sensitive information about privacy, if any, are best achieved via
Assistant Secretary for Communications and
their customers should not be the other means? Are there any Information, National Telecommunications
primary targets of privacy-enforcement recommended statutory changes? and Information Administration.
activity, so long as they make good-faith D. The Department understands that [FR Doc. 2018–20941 Filed 9–25–18; 8:45 am]
efforts to utilize privacy protections. some of the most important work in
BILLING CODE 3510–60–P
Similarly, there should be a distinction establishing privacy protections lies
between organizations that control within the definitions of key terms, and
personal data and third-party vendors seeks comments on the defintions. In
particular: COMMODITY FUTURES TRADING
that merely process that personal data COMMISSION
on behalf of other organizations. Just as 1. Do any terms used in this
organizations should employ outcome- document require more precise Agency Information Collection
based approaches when developing definitions? Activities Under OMB Review
privacy protections for their customers, 2. Are there suggestions on how to
the government should do the same better define these terms? AGENCY: Commodity Futures Trading
with its approach to privacy 3. Are there other terms that would Commission.
enforcement and compliance. benefit from more precise definitions? ACTION: Notice.
4. What should those definitions be?
II. Request for Comment E. One of the high-level end-state SUMMARY: In compliance with the
A. Through this RFC, the Department goals is for the FTC to continue as the Paperwork Reduction Act of 1995
is first seeking feedback on what it Federal consumer privacy enforcement (PRA), this notice announces that the
believes are the core privacy outcomes agency, outside of sectoral exceptions Information Collection Request (ICR)
that consumers can expect from beyond the FTC’s jurisdiction. In order abstracted below has been forwarded to
organizations. to achieve the goals laid out in this RFC, the Office of Management and Budget
1. Are there other outcomes that would changes need to be made with (OMB) for review and comment. The
should be included, or outcomes that regard to the FTC’s resources, processes, ICR describes the nature of the
should be expanded upon as separate and/or statutory authority? information collection and its expected
items? F. If all or some of the outcomes or costs and burden.
2. Are the descriptions clear? Beyond high-level goals described in this RFC DATES: Comments must be submitted on
clarity, are there any issues raised by were replicated by other countries, do or before October 26, 2018.
how any of the outcomes are described? you believe it would be easier for U.S. ADDRESSES: Comments regarding the
3. Are there any risks that accompany companies to provide goods and burden estimate or any other aspect of
the list of outcomes, or the general services in those countries? the information collection, including
approach taken in the list of outcomes? G. Are there other ways to achieve suggestions for reducing the burden,
B. The Department is also seeking U.S. leadership that are not included in may be submitted directly to the Office
feedback on the proposed high-level this RFC, or any outcomes or high-level of Information and Regulatory Affairs
goals for an end-state for U.S. consumer- goals in this document that would be (OIRA) in OMB within 30 days of this
privacy protections. detrimental to achieving the goal of notice’s publication by either of the
1. Are there other goals that should be achieving U.S. leadership? following methods. Please identify the
included, or outcomes that should be Instructions for Commenters comments by ‘‘OMB Control No. 3038–
expanded upon? 0069.’’
2. Are the descriptions clear? Beyond This is a general solicitation of • By email addressed to:
clarity, are there any issues raised by comments from the public. We invite OIRAsubmissions@omb.eop.gov or
how the issues are described? comments on the full range of questions • By mail addressed to: the Office of
3. Are there any risks that accompany presented by this RFC and on issues that Information and Regulatory Affairs,
the list of goals, or the general approach are not specifically raised. Commenters Office of Management and Budget,
taken by the Department? are encouraged to address any or all of Attention Desk Officer for the
C. The Department is seeking the questions above. Comments that Commodity Futures Trading
comments that describe what the next contain references to specific court Commission, 725 17th Street NW,
steps and measures the Administration cases, studies, and/or research should Washington DC 20503.
should take to effectuate the previously include copies of the referenced A copy of all comments submitted to
discussed user-centric privacy materials along with the submitted OIRA should be sent to the Commodity
outcomes, and to achieve an end-state in comments. Commenters should include Futures Trading Commission (the
line with the high-level goals. In the name of the person or organization ‘‘Commission’’) by either of the
particular: filing the comment, as well as a page following methods. The copies should
1. Are there any aspects of this number on each page of the refer to ‘‘OMB Control No. 3038–0069.’’
approach that could be implemented or submissions. All comments received are • By mail addressed to: Christopher
daltland on DSKBBV9HB2PROD with NOTICES
enhanced through Executive action, for a part of the public record and will Kirkpatrick, Secretary of the
example, through procurement? Are generally be posted on the NTIA Commission, Commodity Futures
there any non-regulatory actions that website, www.ntia.doc.gov/ Trading Commission, Three Lafayette
could be undertaken? If so, what actions privacyrfc2018, without change. All Centre, 1155 21st Street NW,
should the Executive branch take? personal identifying information (for Washington, DC 20581;
2. Should the Department convene example, name or address) voluntarily • By Hand Delivery/Courier to the
people and organizations to further submitted by the commenter may be same address; or
VerDate Sep<11>2014 19:21 Sep 25, 2018 Jkt 244001 PO 00000 Frm 00019 Fmt 4703 Sfmt 4703 E:\FR\FM\26SEN1.SGM 26SEN1](https://thefederalregister.org/doc/83_FR_48787/page/4.svg)
Document Created: 2018-09-26 00:46:32
Document Modified: 2018-09-26 00:46:32
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | Notice; request for public comments. | |
| Dates | Comments must be received by 11:59 p.m. Eastern Daylight Time on October 26, 2018. | |
| Contact | Travis Hall, Telecommunications Policy Analyst, Office of Policy Analysis and Development, National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue NW, Room 4725, Washington, DC 20230; telephone: 202-482-3522; email: [email protected] | |
| FR Citation | 83 FR 48600 | |
| RIN Number | 0660-XC04 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR