Big computer companies and edge providers are in agreement that federal privacy legislation currently being contemplated by the White House and Congress should preempt state efforts to regulate privacy. They also advise the Trump Administration and Congress not to be in too much of a hurry to give the FTC rulemaking authority.
The Internet Association (IA) and Computer & Communications Industry Association (CCIA) made those points in filings with the National Telecommunications & Information Administration (NTIA), which sought comment on a framework for protecting privacy. NTIA is President Trump's principal communications advisory agency. Comments were due Friday (Nov. 9).
In June, California passed a privacy bill that established a consumer right of privacy, though one based on disclosure and the right to opt out of data collection or third-party sharing, and to have their data deleted if they chose. The bill, which does not go into effect until 2020, followed congressional Republican's nullification of an online privacy framework approved by the FCC under then-Democratic Chairman Tom Weeeler. Other states are making similar efforts to fill what they see as a privacy void, which edge providers and ISPs oppose as a "patchwork" approach that is hard to comply with.
In its comments, CCIA said that "where appropriate" state laws on data privacy, breach notification and security should be preempted by an overarching federal baseline privacy protection. IA said: "A national privacy framework should be consistent throughout all states, preempting state consumer privacy and data security laws."
The companies also want NTIA to come up with its framework ASAP since congress is on a parallel track in its efforts to come up with the legislation to create that framework, though getting a divided Congress to agree on issues like what is personal information, where and whether there should be an opt-in requirement for data sharing, and the sticky preemption issue, will make that a tall order.
Some privacy activists and Hill Dems argue that preemption should not occur where the state laws are tougher than a national standard.
Those same activists have been pushing for any new federal privacy legislation to give the Federal Trade Commission, which has principle authority over enforcing online privacy, both from edge providers and ISPs, the ability to come up with rules and levy penalties. Currently it enforces privacy by seeking settlements—financial and otherwise—or suing companies for deceptive or anticompetitive conduct.
But the Internet Association says not so fast: "The FTC has said that it believes that it needs APA rulemaking authority and civil penalty authority as part of a new federal law," it told NTIA. "IA believes that it is premature to conclude that rulemaking and civil penalty authority is necessary for a law that has yet to be drafted, let alone enacted."