Say 'appropriate' preemption is warranted; computer cos. also raise doubts about need for FTC rulemaking authority

Big computer companies and edge providers are in agreement that federal privacy legislation currently being contemplated by the White House and Congress should preempt state efforts to regulate privacy. They also advise the Trump Administration and Congress not to be in too much of a hurry to give the FTC rulemaking authority.

The Internet Association (IA) and Computer & Communications Industry Association (CCIA) made those points in filings with the National Telecommunications & Information Administration (NTIA), which sought comment on a framework for protecting privacy. NTIA is President Trump's principal communications advisory agency. Comments were due Friday (Nov. 9).

NTIA is looking to come up with "a set of user-centric privacy outcomes that underpin the protections that should be produced by any Federal actions on consumer-privacy policy, and a set of high-level goals that describe the outlines of the ecosystem that should be created to provide those protections." That language signals the Trump Administration is not looking to come up with suggestions for prescriptive regulations in that space, which is not surprising given the President's emphasis on getting rid of regulations rather than creating new ones.

In June, California passed a privacy bill that established a consumer right of privacy, though one based on disclosure and the right to opt out of data collection or third-party sharing, and to have their data deleted if they chose. The bill, which does not go into effect until 2020, followed congressional Republican's nullification of an online privacy framework approved by the FCC under then-Democratic Chairman Tom Weeeler. Other states are making similar efforts to fill what they see as a privacy void, which edge providers and ISPs oppose as a "patchwork" approach that is hard to comply with.

Related: Amazon Slams Calif. Privacy Bill

In its comments, CCIA said that "where appropriate" state laws on data privacy, breach notification and security should be preempted by an overarching federal baseline privacy protection. IA said: "A national privacy framework should be consistent throughout all states, preempting state consumer privacy and data security laws."

The companies also want NTIA to come up with its framework ASAP since congress is on a parallel track in its efforts to come up with the legislation to create that framework, though getting a divided Congress to agree on issues like what is personal information, where and whether there should be an opt-in requirement for data sharing, and the sticky preemption issue, will make that a tall order.

Some privacy activists and Hill Dems argue that preemption should not occur where the state laws are tougher than a national standard.

Those same activists have been pushing for any new federal privacy legislation to give the Federal Trade Commission, which has principle authority over enforcing online privacy, both from edge providers and ISPs, the ability to come up with rules and levy penalties. Currently it enforces privacy by seeking settlements—financial and otherwise—or suing companies for deceptive or anticompetitive conduct.

But the Internet Association says not so fast: "The FTC has said that it believes that it needs APA rulemaking authority and civil penalty authority as part of a new federal law," it told NTIA. "IA believes that it is premature to conclude that rulemaking and civil penalty authority is necessary for a law that has yet to be drafted, let alone enacted."

Related