FTC Privacy Report Urges Congress to Pass Data-Security Legislation
The Federal Trade Commission issued a report this morning urging data brokers who trade in personal information such as names, addresses and purchase histories to create a centralized website that would make their practices more transparent. It also asked Congress to enact privacy legislation to supplement the online-advertising industry's self-regulation efforts.
The report, which contains final recommendations for how business and policymakers should address online policy, is the result of a preliminary report in December 2010. FTC Chairman Jon Leibowitz said in a press call this morning that the purpose of the recommendations is "not to erect a stoplight, but to take a look at the traffic patterns."
M4. Leibowitz said that in the past two years the Digital Advertising Alliance, a consortium of media and marketing associations, has made progress in its do-not-track program via the the Advertising Option Icon that members are using on their web pages. It gives users the choice of opting out of tracking. The DAA also agreed last month to honor users who seek to opt out of tracking through settings on their web browsers.
Mr. Leibowitz commended Apple, Mozilla and Microsoft for announcing new browser versions that let users tell websites not to track their activities and the World Wide Web Consortium (W3C) for working to develop an international standard for do-not-track. (On the heels of the Obama administration's announced blueprint for a "privacy bill of rights" last month, Google announced it would allow a do-not-track button to be embedded in Chrome.)
The FTC will work with these groups to move toward "complete implementation" of do-not-track over the course of the year, Mr. Leibowitz said. "Do-not-track' needs to mean 'do-not-collect,' not just 'do-not-advertise,' and the DAA is moving in the right direction," he added.
While Congress considers privacy legislation, Mr. Leibowitz articulated his belief that industry has the resources and motivation to successfully self-regulate. "I'm very hopeful that do-not-track can be done without legislation," he said. "But if it can't be, I think it will be done with legislation."
Mr. Leibowitz was emphatic in renewing a call for data-security legislation that would give consumers access to the information a data broker possesses about them. He added that the FTC has taken an active role in addressing recent breaches, including actions against Google and Facebook and stopping apps that collect children's information without parental consent. The report calls for brokers that sell data to marketers to create a centralized website that explains why they're collecting and using data and what rights the user has to it.
However, since the FTC is an enforcement agency, Mr. Leibowitz stressed that it would not be conducting any "rulemaking" in the area of data security, aside from its enforcement of the Children's Online Privacy Protection Act. He said that the Department of Commerce will be working with industry to develop "sector-specific codes of conduct" on privacy, which the FTC will start to take into account in its law-enforcement work.
The report also addresses the Wild West of mobile-app development, where reports of questionable privacy policies have recently snowballed. It calls on mobile services to focus on developing "short, meaningful disclosures" in their terms of service so that it's clear to users what information is being collected. Mr. Leibowitz pointed out that while the Declaration of Independence is 1,337 words long, his staff recently encountered a mobile policy that takes 102 clicks to get through.FTC Report: Protecting Consumer Privacy in an Era of Rapid Change