The FTC jumped in at this intersection of high-tech innovation and privacy rights not to erect a stop light but to look at traffic patterns. We asked who should control the personal information that consumers reveal — about sites they view, purchases they make, people they talk to, even physical locations they visit — when they surf the Web or use their mobile devices. Are consumers to be defined and judged by what the Atlantic called the “unconsciously created profile” they amass online? Or should they get some say in what personal information employers, marketers and the public see?
The stakes are high. There are clear benefits to the collection and sale of personal information: It funds the innovative online content we all enjoy for free and fuels the growth of the cyber-economy, a bright spot on our economic horizon. But allowing the minute details of our browsing behavior, shopping habits, and even sensitive financial, health and family decisions to run loose in a freewheeling, high-tech data market comes with equally clear risks. Do we want our health insurer to know we bought a deep fryer on Amazon? Our future employer to see that unfortunate picture of the first, and last, frat party we attended? Our neighbors, pastor or complete strangers to find out whether we are pregnant, have HIV, take antidepressants or attend anger-management classes?
To ensure that consumers retain control of their personal information, our report lays out three simple but powerful principles for companies to follow when handling consumer data: Incorporate privacy protections into products as they are developed — that is, privacy by design; offer consumers more choice about how their data are collected and used; and provide more transparency with better information explaining to consumers how the companies — including the data brokers who, for the most part, remain invisible to consumers — handle personal information. Our report also renews our call for industry to develop a Do Not Track system that would let consumers choose what information is collected about them online and how it is used.
We first proposed Do Not Track in December 2010. Since then, online advertisers have developed an icon-based Do Not Track system that has buy-in from companies representing 90 percent of the advertisers who track users online. Most major browser vendors now allow users to choose whether they wish their Web browsing to be followed, and the advertising industry has agreed to honor consumer choices made through that route. An international Internet standard-setting group has brought academics, technologists, privacy advocates, consumer groups and industry together to work on the architecture of a universal Do Not Track mechanism.
This effort on behalf of industry is heartening, as is the adoption by many companies of the best practices we lay out in the report. These companies understand that giving customers choice begets trust, and trust begets commerce. Although Congress may someday write these practices into law, smart businesses know that protecting consumer privacy is simply good business strategy.
But we cannot yet say that the right to privacy has reached the 21st century intact. The Do Not Track system put in place by industry is not yet easy enough to use nor effective enough at stopping tracking. Social networks and other large platforms struggle with the thin line between sharing information andtoo much information. And too many companies still have not bolstered their privacy practices to withstand the challenges of an increasingly online market. For example, an FTC staff survey of children’s apps found that Google’s Android Market and Apple’s iTunes App Store didn’t offer parents any information on the kind of data the apps collect about children, who is collecting it and why.
Our report calls on Congress to take up baseline privacy legislation to provide clear rules of the road for companies, ensuring that those who follow best practices are not put at a competitive disadvantage. We also ask for targeted laws addressing data security and data breaches and requiring data brokers to give consumers reasonable access to the personal information the brokers maintain.
For our part, we at the FTC will continue to hold companies to the privacy promises they make — as we did in settlements with Google and Facebook that required them to improve the way they handled users’ data. We will work with industry to improve their Do Not Track system. And we will engage the public in understanding and advocating for their right to have their personal information treated with care.
Americans deserve respect for their privacy, online and off. It is time to move the conversation about privacy, this “right most valued by civilized men,” beyond Washington and out to where all serious determinations of how to safeguard basic rights and freedoms in this country begin.