The bones of a plan to balance consumer privacy and businesses’ need to gather data online was aired yesterday by the Federal Trade Commission and was greeted with both praise and criticism.
In a 122-page preliminary report, the agency called for any company collecting or using consumer data that can be linked to a specific consumer, computer or device to promote consumer privacy throughout their organizations and at every stage of development of their products and services.
The report, titled “Protecting Consumer Privacy in an Era of Rapid Change: a Proposed Framework for Businesses and Policymakers,” also called on those companies to inform consumers when data is being collected from them and to increase the transparency of their data collection and use practices.
In addition, it proposed the implementation of a “Do Not Track” mechanism to give consumers control over what data companies can collect from them.
A hearing on legislation to create such a Do Not Track mechanism is being held Thursday by the U.S. House Committee on Energy and Commerce.
“Technological and business ingenuity have spawned a whole new online culture and vocabulary — email, IMs, apps and blogs, much of it free — that consumers have come to expect and enjoy,” FTC Chairman Jon Leibowitz said.
“The FTC wants to help ensure … that the growing, changing, thriving information marketplace is built on a framework that promotes privacy, transparency, business innovation and consumer choice,” he continued. “We believe that’s what most Americans want as well.”
‘Failed Dismally to Self-Regulate’
Government action to protect the online privacy of consumers has become necessary because efforts by businesses to do so have been inadequate, Leibowitz asserted.
“[D]espite some good actors, self-regulation of privacy has not worked adequately and is not working adequately for Americans,” he said. “Consumers deserve far better from the companies they entrust their data to, and industry, as a whole, must do better. We’re concerned that self-regulation is not keeping pace with technology.”
The chairman also pledged to step up immediately FTC enforcement efforts against privacy violators. “The FTC will take action against companies that cross the line with consumer data and violate consumers’ privacy– especially when children and teens are involved,” he declared. “You’ll see more privacy cases in the coming weeks and months.”
The industry’s report card on privacy appears to be a mixed bag. “The industry has failed dismally to self-regulate up until now,” Rainey Reitman, an activist with the Electronic Frontier Foundation in San Francisco, told the E-Commerce Times.
“It’s theoretically possible that when faced with this report from the FTC, the industry will realize it needs to get its act together and try to come up with a more comprehensive solution,” she conceded. “Most privacy advocates are very skeptical of that.”
Government intervention is needed because the industry has shown it can’t regulate itself, Susan Grant, director of consumer protection for the Consumer Federation of America in Washington, D.C., told the E-Commerce Times. “The FTC clearly stated here that, while industry voluntary efforts are to be applauded, they’re not enough,” she said. “They’re too slow. The industry hasn’t acted in a prompt manner to concerns expressed by the FTC going back some years now.”
Not everyone, though, is giving the industry an F for their privacy efforts. “The FTC should give the industry a little more credit for what it has done so far,” Daniel Castro, a senior analyst with theInformation Technology and Innovation Foundation inWashington, D.C., told the E-Commerce Times.
“Everything in technology is an iterative process,” he continued. “It’s getting better and better every year. There’s been a huge improvement where it was five years ago.”
What the FTC wants — enhanced notice and a simple, comprehensive opt-out mechanism — is embodied in a self-regulatory program launched in October by the industry that sets guidelines for firms engaging in online behavioral advertising, according to the Interactive Advertising Bureau. The industry developed this program without the need for government regulation, the organization has stated.
It strongly opposes the creation of a Do Not Track mechanism. If mandated by the government, the bureau maintains, this would be tantamount to a government-sponsored, and possibly managed, ad-blocking program, which it called inimical to the First Amendment.
Technology to the Rescue
While the industry can’t self-regulate adequately, government mandates aren’t the answer either, argued Eben Moglen, a law professor at Columbia University in New York City and a founding director of the Software Freedom Law Center.
“Data mining industries are being built in the United States which are incapable of self-regulating to avoid surveilling people,” he told the E-Commerce Times. “Comprehensive surveillance of a kind that would have been regarded as totalitarian in nature just five minutes ago is their business model.”
“Expecting them to self-regulate themselves out of business is not going to happen,” he continued.
He maintains that there are technological fixes that can be adopted by consumers that can be more effective than either government intervention or industry self-regulation. Within a year, he predicted, an affordable wireless router will be available that will restore its users’ privacy — encrypts their email, gives them a telephone company inside a box, provides anonymous Net surfing and furnishes them with social networking that’s feature compatible with Facebook, Flikr and other centralized services but will be decentralized and optimized for privacy.
“With that technology, we’re going to be able to strike back at privacy intrusions in a workable fashion in people’s actual lives,” he said.