[On Tuesday,] NTIA released comments it received in response to a September 25, 2018, request for comment on a high-level framework for protecting consumer data privacy. We received over 200 comments from individuals, industry associations, companies, civil society, and academics.
From the ALA Submission:
The ALA agrees that the framework for consumer privacy should be strengthened. The RFC asks, however, whether any particular outcomes or goals might be ambiguous or whether there are risks from this effort that are not apparent. We believe that there is some risk that a generally applicable commercial privacy framework might be inconsistent with the operation of libraries (and probably other quasi-public institutions).
The members of the ALA are deeply committed to ensuring that we meet the privacy expectations of those whom we serve. We have already adopted privacy guidelines and best practices that are scalable and based on the volume and sensitivity of the personal reading record data that we collect – reflecting our view that the freedom of inquiry is an especially sensitive area of concern where privacy protections should take precedence. But we do, respectfully, suggest that the dichotomy suggested by the NTIA’s RFP – between government on the one hand, and all other entities, as a unitary group on the other – is too simple and obscures real differences in kind within the non-governmental group.
We therefore, respectfully, urge the NTIA to explicitly recognize a third category – one that encompasses libraries and, possibly, other non-governmental, quasi-public entities who might share these concerns, albeit in different degrees and in different measures depending upon their objectives. This third type of entity would be likely, in our view, to implement a risk-based approach to privacy in a way that is categorically different from that adopted by purely commercial actors.
From the ARL Submission:
Transparency is an essential hallmark for any privacy law, allowing users to read and understand the terms under which they allow their data to be collected and used. Policies must be easily accessible at the time the user engages with the service. Users should understand what information is collected, stored, used and shared from the outset. Transparency must mean more than mere notice or simple access to terms and conditions; the language use must be plainly written for the target audience and stripped of any legalese. These measures should also consider inclusion of privacy support, allowing users to ask questions or have privacy options explained.
Additionally, the Request for Comment raises the issue of security safeguards to secure personally identifiable information on data. Just as users must be able to understand the collection policies, so too must they be informed when their data has been breached. Regulations should incorporate appropriate notification standards for security breaches.
ARL supports the creation of strong federal privacy regulations. While some elements of meaningful privacy rules are clear, such as transparency and consent, other areas require thorough consideration and a nuanced approach. Privacy regulations should protect users and provide incentives for compliance, yet avoid overly-burdensome requirements that would stifle innovation.