Request for public comments.
The National Telecommunications and Information Administration (NTIA) is requesting comment on substantive consumer data privacy issues that warrant the development of legally enforceable codes of conduct, as well as procedures to foster the development of these codes. NTIA invites public comment on these issues from all stakeholders with an interest in consumer data privacy, including the commercial, academic and civil society sectors, and from federal and state enforcement agencies.
Comments are due on or before 5 p.m. Eastern Daylight Savings Time on March 26, 2012.
Written comments may be submitted by email to firstname.lastname@example.org. Comments submitted by email should be machine-searchable and should not be copy-protected. Written comments also may be submitted by mail to 1401 Constitution Avenue NW., Room 4725, Washington, DC 20230. Responders should include the name of the person or organization filing the comment, as well as a page number, on each page of their submissions. All comments received are a part of the public record and will generally be posted to http://www.ntia.doc.gov/category/internet-policy-task-force without change. All personal identifying information (for example, name, address, etc.) voluntarily submitted by the commenter may be publicly accessible. Do not submit Confidential Business Information or otherwise sensitive or protected information. NTIA will accept anonymous comments (enter “N/A” in the required fields if you wish to remain anonymous).
FOR FURTHER INFORMATION CONTACT:
Aaron Burstein, National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue NW., Room 4725, Washington, DC 20230; telephone (202) 482-1055; email email@example.com. Please direct media inquiries to NTIA's Office of Public Affairs, (202) 482-7002.
The Executive Office of the President released Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (the “Privacy and Innovation Blueprint”) on February 23, 2012. Two central elements of the Privacy and Innovation Blueprint are: (1) A Consumer Privacy Bill of Rights, which is a set of principles the Administration believes should govern the handling of personal data in commercial sectors that are not subject to existing Federal privacy statutes; and (2) a multistakeholder process, which NTIA will convene, to develop legally enforceable codes of conduct that specify how the Consumer Privacy Bill of Rights applies in specific business contexts.
These discussions will be open to participation by all interested stakeholders, transparent, and consensus-driven.
Open participation is necessary to ensure that codes of conduct reflect input from the broad array of stakeholders that have interests in putting the Consumer Privacy Bill of Rights into practice. Any person or organization may choose to participate, no one is under an obligation to participate once discussions have started, and NTIA anticipates that there will be opportunities to join a process once it is underway. Transparency is necessary to allow those who do not participate in the process to understand how participants reached their decisions. Consensus of a broad set of stakeholders, achieved through a transparent process, will lend legitimacy to the code of conduct. At the same time, consensus will encourage companies to adopt codes of conduct; the decision to adopt a code of conduct is voluntary, and companies are unlikely to adopt a code about which they have serious reservations.
The privacy multistakeholder process is voluntary. A code of conduct will not be binding on a company unless and until that company affirmatively commits to follow it. NTIA expects that a company's public commitment to follow a code of conduct will be legally enforceable, provided the company is subject to the Federal Trade Commission's jurisdiction.
Enforceable codes of conduct based on the principles set forth in the Consumer Privacy Bill of Rights will provide consumers clear, understandable baseline protections and give businesses greater certainty about how agreed upon privacy principles apply to them. Companies will build consumer trust by engaging directly with consumers and other stakeholders during the process and adopting a code of conduct that stakeholders develop through this process.
Moreover, in any enforcement action based on conduct covered by a code, the FTC would likely consider a company's adherence to such a code favorably.
NTIA's role in the privacy multistakeholder process will be to provide a forum for discussion and consensus-building among stakeholders. In situations in which stakeholders disagree over how best to interpret the Consumer Privacy Bill of Rights, NTIA's role, as explained in the Privacy and Innovation Blueprint, “will be to help the parties reach clarity on what their positions are and whether there are options for compromise toward consensus, rather than substituting its own judgment.” 
Furthermore, stakeholder groups convened to develop codes of conduct will not be advisory committees, as neither NTIA nor any other Federal agency or office will seek consensus advice or recommendations on policy issues from participants in these privacy multistakeholder processes.
Request for Comment
Consumer Data Privacy Issues To Address Through Enforceable Codes of Conduct
NTIA plans to facilitate the development of enforceable codes of conduct that implement the full Consumer Privacy Bill of Rights. Initially, NTIA seeks to conduct a privacy multistakeholder process focused on a definable area where consumers and businesses will receive the greatest benefit in a reasonable timeframe. Areas of consumer data privacy in which stakeholders have begun to collaborate to develop practices, or to develop consensus around specific practices, could provide such a starting point. For example, commenters on the Department of Commerce's “Privacy and Innovation Green Paper” 
were in broad agreement that transparency is a key element of protecting consumers' privacy. An initial privacy multistakeholder process could focus on the Privacy and Innovation Blueprint's call to give consumers “easily understandable and accessible information about privacy and security practices” in a particular business setting.
Future iterations of the process could build on this initial work toward a comprehensive, enforceable code of conduct for that setting.
To identify potential consumer data privacy topics that would benefit from a multistakeholder process as well as risks and concerns, NTIA seeks comment from stakeholders.
1. NTIA seeks comment on what issues should be addressed through the privacy multistakeholder process. Among a variety of alternatives, NTIA is considering convening an initial multistakeholder process to facilitate the implementation of the Transparency principle in the privacy notices for mobile device applications (“mobile apps”). Mobile apps are gaining in social and economic importance.
However, as several commenters on the Privacy and Innovation Green Paper noted, mobile devices pose distinct consumer data privacy issues, such as disclosing relevant information about personal data practices on a small display.
Moreover, practices surrounding the disclosure of consumer data privacy practices do not appear to have kept pace with these rapid developments in technology and business models. Recent studies found that 33 percent of the top 10 paid mobile apps for three major mobile phone operating systems (thus, a total of 30 paid apps were studied), and 66 percent of the top 10 free mobile apps for the same operating systems, have privacy policies,
With respect to apps directed at children, a recent FTC report found that parents generally cannot determine which app poses privacy risks to their children before downloading an app.
A common set of practices that implement the Transparency principle in the Consumer Privacy Bill of Rights could provide guidance to mobile apps developers, operating systems, and apps stores, as well as better inform consumers about how mobile apps use personal data. An NTIA-convened effort toward this end could build on initial efforts to develop codes of conduct and best practices for mobile apps and devices 
and complement recent commitments by mobile device platform providers to promote transparency in the mobile arena.
NTIA seeks comment on other potential topics, including:
- Other issues associated with mobile apps in general (e.g., a code of conduct that implements the full Consumer Privacy Bill of Rights)
- Mobile apps that provide location-based services
- Cloud computing services, i.e., those that store data in architectures that provide on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service; 
or specific cloud computing market segments
- Accountability mechanisms (to enable companies to demonstrate how they are implementing the Consumer Privacy Bill of Rights)
- Online services directed toward teenagers (individuals 13 or older and younger than 18)
- Online services directed toward children (individuals under 13 years old) 
- Trusted identity systems, such as those discussed in the National Strategy for Trusted Identities in Cyberspace 
- The use of multiple technologies, e.g., browser cookies, local shared objects, and browser cache, to collect personal data
This list is not exhaustive, and NTIA welcomes comments on any of these topics as well as descriptions of other topics that commenters would like NTIA to consider for the privacy multistakeholder process.
2. Please comment on what factors should be considered in selecting issues for the privacy multistakeholder process.
Implementing the Multistakeholder Process
Commenters also may wish to provide their views on how stakeholder discussions of the proposed issue(s) should be structured to ensure openness, transparency, and consensus-building. Analogies to other Internet-related multistakeholder processes, whether they are concerned with policy or technical issues, could be especially valuable.
Possible subjects for comment include:
The Privacy and Innovation Blueprint calls for a code of conduct development process that is open to any interested participant. A broad array of perspectives and expertise will be necessary to ensure that the privacy multistakeholder process thoroughly addresses the issues before it. NTIA, as convener of the privacy multistakeholder process, will not set criteria that prospective participants must meet, such as their ability to represent specific industries or consumer interests. Nonetheless, there may be practical obstacles to such broad participation. For example, the time required to participate and the expense of attending in-person meetings may make it difficult for some stakeholders to participate. The following questions seek input on how NTIA can keep these barriers to a minimum and ensure that the privacy multistakeholder process is open, as a practical matter, to all interested stakeholders.
3. How can NTIA promote participation by a broad range of stakeholders, i.e., from industry, civil society, academia, law enforcement agencies, and international partners?
4. Which stakeholders should participate? What kinds of expertise or perspectives should participants have?
5. How can NTIA best ensure the process is inclusive, given that participants will likely have different levels of resources available to support their participation?
6. Are pre-requisites for participating in the privacy multistakeholder process consistent with the principle of openness? For example, what impact would a requirement to submit a brief position paper in advance of a stakeholder meeting have on participation?
7. What balance should NTIA seek to achieve between in-person and virtual meetings?
Providing timely, relevant information in an accessible manner is crucial to effective transparency.
Transparency, in turn, will enable all stakeholders to understand how decisions within the privacy multistakeholder process are reached, whether they participate in the process or not.
8. Which technologies could facilitate discussions among stakeholders before, during, and after in-person meetings?
9. How should discussions during meetings be memorialized and published? Are verbatim transcripts or full recordings necessary, or would a more abbreviated record be appropriate?
10. How can NTIA facilitate broad public review of codes of conduct during their development?
11. What procedures should stakeholders follow to explain their decisions on issues discussed within the privacy multistakeholder process?
12. What procedures should stakeholders follow to explain decisions they reach in concert with other stakeholders?
Ideally, stakeholders who decide to help develop an enforceable code of conduct will do so with a “willingness to work in good faith toward reaching consensus on the code's provisions.” 
Consensus, however, does not have a single definition. The obstacles to consensus are also likely to vary, based in part on how consensus is defined. NTIA seeks comments on how other multistakeholder processes in the Internet policy and standards realms have defined and reached (or failed to reach) consensus.
13. Are there lessons from existing consensus-based, multistakeholder processes in the realms of Internet policy or technical standard-setting that could be applied to the privacy multistakeholder process? If so, what are they? How do they apply?
14. How did those groups define consensus? What factors were important in bringing such groups to consensus?
15. Are there multistakeholder efforts that have failed to achieve consensus? Why did these efforts fail to reach consensus? What policies or standards, if any, resulted from these efforts?
16. In what ways could NTIA encourage stakeholders to reach consensus? Under what circumstances should NTIA facilitate discussions among sub-groups of stakeholders to help them reach consensus? In these cases, what measures would be necessary to keep the overall process transparent?
Response to this Request for Public Comments is voluntary. Commenters are free to address any or all of the issues identified above, as well as provide information on other topics that they think are relevant to developing policies consistent with open, transparent, voluntary, consensus-based processes for developing consumer data privacy codes of conduct. Please note that the Government will not pay for response preparation or for the use of any information contained in the response.
Dated: February 29, 2012.
Lawrence E. Strickling,
Assistant Secretary for Communications and Information.
[FR Doc. 2012-5220 Filed 3-2-12; 8:45 am]
BILLING CODE 3510-60-P