When the Default is No Penalty: Negotiating Privacy at the NTIA

Consumer privacy protection is largely within the purview of the Federal Trade Commission. In recent years, however, the National Telecommunications and Information Administration (NTIA) at the Department of Commerce has hosted multistakeholder negotiations on consumer privacy issues. The NTIA process has addressed mobile apps, facial recognition, and most recently, drones. It is meant to serve as a venue for industry self-regulation. Drawing on the literature on co-regulation and on penalty defaults, I suggest that the NTIA process struggles to successfully extract industry expertise and participation against a dearth of federal data privacy law and enforcement. This problem is most exacerbated in precisely the areas the NTIA currently addresses: consumer privacy protection around new technologies and practices. In fact, industry may be more likely to see the NTIA process as itself penalty-producing and, thus, be disincentivized from meaningful participation or adoption.