The commission calls for greater regulation of data brokers and a Do-Not-Track option that could be made law if not adopted voluntarily.
The Federal Trade Commission has released long-awaited recommendations for online privacy policies, calling for greater regulation of data brokers and more choices for consumers, including a Do Not Track option that could stop collection of most data.
FTC Chairman Jon Leibowitz praised the progress that the online advertising industry has made in implementing a voluntary but enforceable Do Not Track program, but he said work remains to be done and warned that public frustration could result in a legislative mandate if work is not completed quickly.
“I’m very hopeful that Do Not Track can be done without legislation,” Leibowitz said March 26 during a news conference. But if it is not, “it will be done with legislation.”
The chairman said the commission will work with the Commerce Department to support a consumer bill of rights initiative announced earlier this year. The program would use enforcement of existing FTC law, but the FTC would not propose any new rules of its own for online privacy, he said.
The report, "Protecting Consumer Privacy in an Era of Rapid Change," is a framework for businesses and legislators for creating policies that respect the consumer’s right to choose what information is gathered about their online activities and how that information is handled. A draft version was released in December 2010. The final version, although not binding, carries the weight of a commission recommendation, which could have more influence in Congress.
The report emphasizes three principles:
- Companies should design privacy protections into their operations and platforms.
- Privacy policies, which can run to thousands of words and dozens of pages, should be simplified and offer consumers meaningful choices.
- Companies should disclose details about their collection and use of data with greater transparency and provide access to it.
The report supports legislation for the currently unregulated data broker industry, third-party companies that gather and sell information collected from primary sources. These companies now can operate anonymously without the knowledge of individuals whose information is being gathered, and without any requirements for the security or accuracy of that information.
In addition to laws that would impose baseline security and accuracy requirements, the report also encourages data brokers to voluntarily create a central website to identify themselves and to disclose how they collect and use data.
It also supports general privacy legislation that sets baseline requirements for consumer privacy. Several such bills have been introduced in Congress. “We don’t endorse any specific legislation, but we endorse the idea of it,” Leibowitz said.
The final report narrowed the scope of some recommendations in the earlier draft, exempting small businesses and companies that do not transfer sensitive data from some proposed requirements.
The Do Not Track option recommended by the commission would let consumers opt out of having their online activities tracked by systems that commonly are used to deliver targeted advertising. Although this technology can help support otherwise free services, the commission supports the option as a fundamental right.
“Your computer is your property,” Leibowitz said. “No one has the right to put anything on it you don’t want.”
The release of the draft report in 2010 spurred the industry to develop a voluntary program allowing consumers to opt out of tracking. The Digital Advertising Alliance, which represents about 90 percent of online advertisers, said in February that members had agreed to honor a Do Not Track option and announced development of a standardized Web browser feature that would let consumers opt out of most tracking features with a single click. DAA members include Google, Yahoo, Microsoft and AOL.
Leibowitz said it is in the industry’s best interests to develop and respect the voluntary Do Not Track option but added that “more work needs to be done.” Do Not Track should mean “do not collect” information, and not just “do not advertise,” he said.
The Consumer Privacy Bill of Rights envisioned by the Obama administration and announced in February is a framework for establishing baseline protections for online consumers.
Ideally, it would have the force of law behind it, but currently it is being promoted as a voluntary program with only limited government enforcement authority. Participation by online businesses would be voluntary, although if companies include the provisions in their formal privacy policies, they would be subject to enforcement by the FTC.
NEXT STORY: Why NIST's cloud definition is fatally flawed