On Monday, the Federal Trade Commission released a privacy framework that outlined the agency’s suggestions for companies wrestling with the issue of consumer privacy.
What did the FTC recommend?: The agency recommended that Congress consider baseline privacy legislation regulating data brokers, The Washington Post reported.
As The Post’s Cecilia Kang wrote, “The FTC called for legislation on data brokers — the Web's information middlemen, such as Lexis Nexis and Choicepoint — who take data that has been collected online and merge the information with documents offline to create detailed portraits of consumers.”
The report said that the government should work with businesses to further develop industry self-regulation measures.
We wanted “not to erect a stop light” for businesses but to “take a closer look at traffic patterns,” FTC Chairman Jon Leibowitz said during a news conference.
Didn’t they already issue a report?: The FTC did issue a preliminary report in December 2010, advocating for many of the same proposals.
What changed from the first report?: The FTC made a few changes to its preliminary report, changing it so that it doesn’t apply to smaller companies that collect non-sensitive data and clarifying its position on anonymized data.
From the agency’s news release: “The final report changes the guidance’s scope. The preliminary report recommended that the proposed framework apply to all commercial entities that collect or use consumer data that can be linked to a specific consumer, computer, or other device. Recognizing the potential burden on small businesses, the report concludes that the framework should not apply to companies that collect and do not transfer only non-sensitive data from fewer than 5,000 consumers a year.
“The report also responds to comments filed by organizations and individuals that, with technological advances, more and more data could be ‘reasonably linked’ to consumers, computers, or devices,” the release said. “The final report concludes that data is not ‘reasonably linked’ if a company takes reasonable measures to de-identify the data, commits not to re-identify it, and prohibits downstream recipients from re-identifying it.”
What about the White House report?: The White House released its own privacy framework called the “Privacy Bill of Rights,” a little over a month ago. It outlined six rights that all consumers should have over their own data: transparency, respect for context, security, access and accuracy, focused collection and accountability.
How do the White House and FTC reports reconcile?: Both highlight consumer control, transparency and make recommendations for legislation. The FTC and the White House will work together going forward on proposals for how companies can deal with consumer data.
How have lawmakers reacted?: Lawmakers who have already been vocal advocates of privacy legislation were quick to point out that the FTC report underscores a need for privacy legislation.
“This report encourages Congress to pass legislation to promote consumer online privacy protection, and I think that’s a recommendation the Committee needs to seriously consider,” said Sen. Jay Rockefeller (D-W.Va.). “I also agree with the FTC’s conclusion that online companies need to do a better job of honoring consumer requests when they make a ‘do-not-track’ request on their Internet browsers. Those companies said they’d do that, and they need to make good.”
Sen. Patrick Leahy (D-Vt.) urged the Senate to consider his data privacy legislation bill, which has already passed through the Judiciary Committee.
“The Personal Data Privacy and Security Act would establish a single nationwide standard for data breach notification, and require that companies that have databases with sensitive personal information to establish and implement data privacy and security programs,” Leahy said. “The Judiciary Committee has previously reported similar legislation three times, each time with strong, bipartisan support. Today’s FTC report highlights the need for Congress to finally enact this necessary legislation.”
Finally, Sen. John Kerry (D-Mass.), who co-authored Internet privacy legislation with Senator John McCain (R-Ariz.) said that the report should encourage Congress to act quickly on privacy.
“This report again affirms the value of setting a national standard for the collection, use, and distribution of personal information,” Kerry said in a statement. “This discussion is taking place at home and abroad, and we’d be wise to act now rather than defer decisions until future Congresses.”
How have privacy advocates reacted?: Reaction from privacy advocates has been mixed, though many have applauded the agency’s call for baseline legislation and its attention to “do not track” and mobile devices.
“The FTC has delivered an important reminder that Do Not Track standards must address the collection of behavioral data as well as its use," said the Center for Democracy and Technology’s Director of Consumer Privacy Justin Brookman. "Moreover, the FTC rightfully refocuses attention on the heightened privacy concerns presented when ISPs, operating systems, and browsers have broad access to consumers’ online activities.”
The agency did draw some criticism, however, from those who wanted to see stronger action, particularly on the “do not track” component of the proposal.
“[We] call on the FTC to specifically spell out how to ensure consumers have meaningful “choice” to control the collection and use of their information,” said Jeff Chester of the Center for Digital Democracy. “The commission’s overall support for industry self-regulation (such as the largely invisible ‘icon’ placed on ads) is disappointing, and reveals a FTC still too often constrained from effectively protecting the public.”