I
M
A
G
E
B
Y
A
N
D
R
I
J
B
O
R
Y
S
A
S
S
O
C
I
A
T
E
S
/
S
H
U
T
T
E
R
S
T
O
C
K
privacy practices that will help companies assess privacy risk and adopt
measures appropriate to the risk. In
parallel, the NTIA, also part of the
Department of Commerce, released
a Request for Comments (RFC) on a
two-part approach to consumer privacy: the first part describes desired
user-centric privacy outcomes and
the second sets high-level goals outlining an ecosystem to achieve those
outcomes.
5 The RFC proposes no
changes to existing sectoral privacy
laws, and, perhaps because it was developed in cooperation with the National Economic Council, the second
part on high-level goals emphasizes
maintaining “the flexibility to innovate” and proposes to employ a “risk
and outcome-based” approach as opposed to one of compliance.
While no one loves red tape, inno-
vation has its downside (remember
those innovative collateralized debt
obligations?), and loss of privacy is
not easy to remedy. Companies al-
ready have the option of building in
“privacy by design,” but relatively few
have done so. To me, a requirement
also “information that identifies, re-
lates to, describes, is capable of being
associated with, or could reasonably
be linked, directly or indirectly, with
a particular consumer or household.”
The law enumerates almost a dozen
categories of personal information,
but exempts “publicly available” in-
formation (also defined in the law).
Implementation details must be
worked out before the law takes effect
in 2020. The law has triggered nation-
al discussion and legislative propos-
als in other states.
Also in June, the U. S. Supreme Court
handed down a decision in Carpenter
v. U. S.
3 This decision represents a no-
table limitation of the “third-party
doctrine” wherein a government
request to a third party to produce
data an individual has voluntarily
surrendered to it does not require
a warrant. This doctrine, in place in
the U.S. since 1979, is the basis for
the idea that once a consumer sur-
renders data to a company as part
of a transaction, the consumer loses
any expectation of privacy for that
data. As such, it has had major impli-
cations for, among other things, Inter-
net-based transactions of all kinds.
The 5-4 decision had four separate
dissenting opinions. The majority characterized the decision as “narrow”
because it did not overturn the third
party doctrine per se. Rather, it recognized the information in this case
(cellphone site location information
or CSLI records) deserves separate
treatment because it is so invasive
of “the privacies of life.” Further,
Justice Gorsuch’s dissent argues for
overturning the third-party doctrine.
He proposes the consumer may well
have a property interest in CSLI records held by the telephone company, although that argument was not
put forth in this case. Other classes
of data routinely collected by third
parties could be equally invasive to
the privacies of life; more litigation
may follow.
In the fall, NIST initiated the development of a privacy framework.
10
Like the cybersecurity framework it
released in 2014 and updated in April
2018,
11 the privacy framework is not to
be a standard, but a guide to common