FRAMINGHAM, Mass. – The U.S. Federal Trade Commission has released the long-awaited final version of its report on online consumer privacy, issuing a set of recommendations broadly consistent with an earlier draft, including a call for a do-not-track tool that would enable users to opt out of data collection and targeted marketing programs on the Web.
With Monday’s report, the FTC continues to prevail on members of the Internet and advertising industries to develop meaningful, broadly adopted codes of conduct to provide consumers with more insight about what information is being collected and how it is being used, as well as tools to limit access to that data such as the do-not-track option that the leading browser makers have endorsed.
The report presses three themes that could be described as best practices for businesses operating on the Internet:
1. Privacy should be incorporated into new products and services by design.
2. Businesses should provide consumers with simplified ways to control their information.
3. Corporate data collection practices should be transparent to the public.
At a news conference announcing the new report, FTC Chairman Jon Leibowitz praised the efforts that industry stakeholders have made in crafting new privacy tools and policies, and reiterated his hope that a self-regulatory approach can achieve meaningful consumer safeguards.
“We are demanding more and better protections for consumers and consumer privacy not because industry is ignoring the issue. In fact, the best companies already follow the privacy principles laid out in our report,” Leibowitz said. “And in the last year, online advertisers, major browser companies and the World Wide Web Consortium, an Internet standards-setting group, have all made great strides toward putting in place the foundation of a do-not-track system.”
In that spirit, Leibowitz said that the FTC will not initiate any independent rulemaking proceedings concerning privacy, save for the update to the Children’s Online Privacy Protection Act that is already underway.
But he also warned Web companies and their trade associations that the window for self-regulation may be closing. Leibowitz said that he is hopeful that do-not-track can be implemented without a government mandate, but if the industry stakeholders are unable to achieve that goal by the end of the year, they could face the prospect of broad, bipartisan support for tough privacy legislation in the next session of Congress.
“I’m very hopeful that do not track can be done without legislation,” Leibowitz said. “But if it can’t be, I suspect it will be done with legislation. And I think in many ways companies would be — they recognize they’d be wise to avoid that particularly when they’re supportive of it.”
(In Canada, online consumer privacy of federally-controlled organizations — including banks and Internet service provides — is governed by the federal Personal Information Protection and Electronics Documents Act (PIPEDA). Other online personal information may be overseen by provincial legislation. Quebec, B.C. and Alberta have laws similar to PIPEDA.)
For its part, the FTC is making a number of legislative recommendations, including support for a baseline online privacy bill, though not necessarily one that includes the do-not-track mandate. Rather, the agency is advocating for a bill that would codify basic principles about transparency and the ownership of data, specifically enshrining the precept that consumers own and should have control of their personal information.
“I think that’s a pretty conservative notion and I think it’s one with a lot of bipartisan support,” Leibowitz said. “We don’t endorse a particular piece of legislation, but we endorse the notion of it.”
The FTC is also calling for data security legislation and a law that would create new rules concerning transparency and choice for data brokers, a set of companies that are deeply involved in the exchange of consumer information online, but that largely operate behind the scenes. As a matter of practice, the FTC’s ability to initiate legal action against a bad actor is significantly limited by its statutory mandate, and many of these companies may not be covered by areas in which the agency has explicit enforcement authority, such as its powers under the Fair Credit Reporting Act.
FTC officials have recently expressed concerns that data brokers, by operating out of public view, aren’t subject to the consumer backlash and reputation damage that arise when a prominent company makes a privacy misstep, factors that can serve as powerful incentives to protect consumer information.
“It’s not like you’re going on Amazon or you’re going on Netflix and you have a direct interface with the company … whose site you’re on,” Leibowitz said. “We’re talking about data brokers who online and off collect information and consumers have no idea that the information’s being collected or how it’s being monetized and sold.”
The FTC is asking data brokers to develop an industry-wide Web portal that would identify the companies and explain what information they collect and how they use it.
The new report puts the finishing touches on a staff-level draft of consumer privacy recommendations that the agency issued in December 2010, updating that document with legislative proposals and the imprimatur of the commission’s leadership. As it looks ahead, the FTC plans to continue its work with industry stakeholders in the hopes of advancing work on do-not-track and other privacy practices. The agency is planning to convene a privacy workshop May 30.
The commission also continues to collaborate with the White House and Commerce Department, which earlier this year released a policy document endorsing a consumer bill of rights, a framework that drew on input from the FTC and other agencies.
In the meantime, the FTC will continue to exercise the authorities it has under existing statutes, which, while limited in the online privacy sector, empower the agency to target specific companies for unfair or deceptive practices.
Last year, for instance, the FTC took actions against two leading Web companies that have been at the forefront of the online privacy debate, reaching settlements with Google and Facebook under which the firms agreed to long-term monitoring and independent auditing of their data-collection and usage practices, among other conditions.