Communications of the ACM

I M A G E B Y A N D R I J B O R Y S A S S O C I A T E S / S H U T T E R S T O C K

privacy practices that will help companies assess privacy risk and adopt measures appropriate to the risk. In parallel, the NTIA, also part of the Department of Commerce, released a Request for Comments (RFC) on a two-part approach to consumer privacy: the first part describes desired user-centric privacy outcomes and the second sets high-level goals outlining an ecosystem to achieve those outcomes. 5 The RFC proposes no changes to existing sectoral privacy laws, and, perhaps because it was developed in cooperation with the National Economic Council, the second part on high-level goals emphasizes maintaining “the flexibility to innovate” and proposes to employ a “risk and outcome-based” approach as opposed to one of compliance.

While no one loves red tape, inno-
vation has its downside (remember
those innovative collateralized debt
obligations?), and loss of privacy is
not easy to remedy. Companies al-
ready have the option of building in
“privacy by design,” but relatively few
have done so. To me, a requirement
also “information that identifies, re-
lates to, describes, is capable of being
associated with, or could reasonably
be linked, directly or indirectly, with
a particular consumer or household.”
The law enumerates almost a dozen
categories of personal information,
but exempts “publicly available” in-
formation (also defined in the law).
Implementation details must be
worked out before the law takes effect
in 2020. The law has triggered nation-
al discussion and legislative propos-
als in other states.

Also in June, the U. S. Supreme Court
handed down a decision in Carpenter
v. U. S. 3 This decision represents a no-
table limitation of the “third-party
doctrine” wherein a government
request to a third party to produce
data an individual has voluntarily
surrendered to it does not require
a warrant. This doctrine, in place in
the U.S. since 1979, is the basis for
the idea that once a consumer sur-
renders data to a company as part
of a transaction, the consumer loses
any expectation of privacy for that
data. As such, it has had major impli-
cations for, among other things, Inter-
net-based transactions of all kinds.

The 5-4 decision had four separate dissenting opinions. The majority characterized the decision as “narrow” because it did not overturn the third party doctrine per se. Rather, it recognized the information in this case (cellphone site location information or CSLI records) deserves separate treatment because it is so invasive of “the privacies of life.” Further, Justice Gorsuch’s dissent argues for overturning the third-party doctrine. He proposes the consumer may well have a property interest in CSLI records held by the telephone company, although that argument was not put forth in this case. Other classes of data routinely collected by third parties could be equally invasive to the privacies of life; more litigation may follow.

In the fall, NIST initiated the development of a privacy framework. 10 Like the cybersecurity framework it released in 2014 and updated in April 2018, 11 the privacy framework is not to be a standard, but a guide to common