The Department of Commerce’s “Internet Policy Task Force” has prepared a green paper for the Obama Administration, advocating for certain policy changes as they related to Internet privacy laws.

The Task Force recommends a “Dynamic Privacy Framework” to promote privacy in the United States. The Framework would include:

Fair Information Practice Principles (FIPPs)

Fair Information Practice Principles, or “FIPPs,” are already in use by certain data handlers, such as the Department of Homeland Security. They are a set of broad principles designed to guide the handling of individual data. For example, one of the DHS’ principles is:

Transparency: Organizations should be transparent and notify individuals regarding collection, use, dissemination, and maintenance of personally identifiable information (PII).

Clearly, the FIPPs are broad and will be used used as guides for further rulemaking, rather than rules in and of themselves.

The Creation of Industry-Specific Privacy Codes of Conduct

Submissions to the Task Force stated concerns about the overly broad nature of FIPPs, which would make them difficult to comply with across various industries. The green paper proposes that each industry work with the Administration and State consumer protection authorities to develop “voluntary” codes of conduct.

The codes of conduct would not have to be followed by a business, but if that business did adhere to the code of conduct relevant to their industry, they would be protected from litigation by the FTC. So, there is essentially a safe harbor proposal for anybody who agrees to follow these codes of conduct. The codes would therefore only be voluntary to the extent that one considers the threat of fines and other red tape from the FTC not to remove the “voluntariness” of one’s actions.

National Standards for Security Breach Notifications

A Security Breach Notification, or “SBN,” is a notification sent out by businesses to those affected by breaches in their privacy security mechanisms which might reveal private information. Currently, each state is responsible for legislating its own requirements for businesses to notify affected customers (and possibly law enforcement or other government agencies), of a security breach.

The problem which many businesses cited to the green paper’s Task Force with complying with these requirements is that for businesses with operations in more than one state, compliance is a burden. They must comply with each state’s SBN requirement laws, and stay updated on changes to those laws.

The green paper proposes that a National Standard for Security Breach Notifications be developed. Businesses which currently have to comply with fifty different states’ laws on SBNs would then only have to comply with one SBN requirement. Even if the requirements were stricter and more burdensome than those on an individual state level, it is likely that businesses will benefit from this change if they serve clients in many different states, as their overall legal compliance burden will decline.

Preemption of State Law

As stated above, compliance with different jurisdictions’ privacy laws presents a problem for interstate businesses. The green paper proposes that where federal and state laws apply to the same subject matter, the federal law will preempt the state law.

State laws would still apply in the case of provisions covering unfair or deceptive practices. Additionally, state laws which were more restrictive than federal laws would continue to apply (this seems to continue the burden for businesses to comply with differing laws among various states).

Although the federal laws would preempt state laws, state Attorneys-General would be authorized to enforce the federal laws. The idea behind this is to allow states to determine what areas need priority in enforcement, as they may differ in different jurisdictions.

This is just a sample of what the Department of Commerce has proposed for a federal privacy regime. For more information about the green paper, contact a lawyer knowledgeable about electronic privacy law.