ITI Releases FAIR Privacy Framework

The Information Technology Industry Council (ITI) released the FAIR Privacy Framework recently to provide guidance to Congress as they develop a new federal privacy law. The framework establishes a set of principles to enhance transparency, increase consumer control, establish company accountability and promote security. The long name is the Framework to Advance Interoperable Rules (FAIR) on Privacy.

The details of the FAIR Privacy Framework include:

– Personal data is defined as any data reasonably linked to a specific natural individual. Sensitive personal data consists of ethnic origin, political affiliation, religious or philosophical belief, trade union membership, genetic data, biometric data, health data, sexual orientation, certain data of known minors and precise geolocation data. It specifically excludes data that is anonymized, pseudonymized, or publicly available.

– Promotes transparency through meaningful, clear, conspicuous and useful disclosures that includes the type of personal data collected; the entity collecting the data; how it will be used; how long it will be retained; access and sharing with third-parties; and an explanation of any control, choice or redress mechanisms available.

– Individual control over the use of their personal data where it is reasonable given the context. These rights shall include, subject to context, the right to access, correct, port, delete, consent and object to the use of their personal data. Opt in required for the use of a consumer’s sensitive data.

– Companies should ensure that all uses of personal data are legitimate. Legitimate uses include those uses appropriate to the context where the privacy risk is negligible or minimized to a reasonable level, where the benefits outweigh any potentially negative impacts, where individuals have given informed and unambiguous consent, where it is necessary to provide a requested good or service, for specified public interest uses, and a few other identified justifications.

– Organizations acting as a service provider should only use personal data in accordance with the instructions of the entity that provided the data. Companies that provide access to or transfer personal data to a service provider should perform due diligence to ensure they have appropriate procedures and controls in place to protect data.

– Companies should institute measures and processes to comprehensively identify, assess and monitor privacy risks to individuals.

– Companies should implement comprehensive security programs that are reasonable and proportionate to the size and complexity of their operations, the nature and scope of activities, and the sensitivity of personal information.

– Companies should maintain records so that they are auditable by the designated authority in the event of an incident.

Apple, Facebook, Samsung, Amazon and Google are all members of the Information Technology Industry. Privacy frameworks have now been released by the National Telecommunications and Information Administration (NTIA), the U.S. Chamber of Commerce, and Google. The National Institute of Standards and Technology is also developing a voluntary Privacy Framework with the community modeled after its successful Cybersecurity Framework developed a few years back.

EU GDPR
– GDPR Compliance
– Consent Management Software
– GDPR Data Mapping Software
– DSAR Portal
– GDPR Text

ePrivacy
– Cookie Scanner
– Cookie Banner Generator
– Cookie Consent Manager
– ePrivacy Regulation

California Consumer Privacy Act
– CCPA Summary
– CCPA vs GDPR
– CCPA Privacy Software
– CCPA Webinar

Other Blog Posts on Proposed Federal Privacy Law Changes:

NIST Voluntary Privacy Framework
NTIA Global Privacy Priorities
Media Reports White House Considering Privacy Law Changes
Business Roundtable Privacy Framework
Intel Draft Privacy Law
ITI FAIR Privacy Framework
US Chamber of Commerce Privacy Principles