The FTC’s preliminary online privacy report is now public. Protecting Consumer Privacy in an Era of Rapid Change,
released Wednesday, comes after a year of consultations on the many issues surrounding consumer privacy.
After reviewing the document here at CCIA, we think it represents an
important step forward for the FTC in their handling of important
privacy issues, but there are still many unanswered questions and
concerns in the privacy space.
The FTC’s approach to privacy enforcement has needed updating for a while. Its previous focus on harms-based approaches and narrow notice and consent framework was effective, but also showing its age. To its credit, the FTC recognized this and is now working on a modern framework for privacy enforcement that integrates up-to-date concepts of fair information practices.
In updating their framework, the FTC wrestled with a number of modern privacy questions. In the report, they questioned the validity of the old harm-based models and the distinction between personally and non-personally identifiable information.
The report lays out three “building blocks” for privacy protection: integrating privacy thinking into the design of processes and systems, a simplified notice and choice system, and enhanced transparency on the part of data collectors. These three ideas form an outline for a strong privacy enforcement regime at the FTC.
One particular part of the framework has gotten a good deal of press this week, including a Congressional hearing yesterday: a do-not-track technology that consumers could use to prevent data being collected about them or used to sell them products. While an intriguing idea, do-not-track has more questions surrounding it than answers right now. We will be following the progress of this proposal closely.
The report leaves some remaining questions. First, it doesn’t address how the new framework might be implemented. Without rulemaking authority, which the FTC does not generally have, it is not immediately clear how this proposed framework may turn into enforceable standards, whether in a self-regulation regime, under the FTC’s current Section 5 “unfair or deceptive trade practices” authorization or with Congressional legislation..
Secondly, there are many aspects of privacy that CCIA addressed in our comments to both the FTC in November of 2009 and the Commerce Department in June of 2010, but which did not make it into the FTC report. We would have liked to have seen the FTC address important issues like the particular challenges of cloud computing, the urgent need to reform the Electronic Communications Privacy Act, and the myriad problems with deep packet inspection, which did not get the attention they deserved in the preliminary report.
The FTC has asked for public comment on the preliminary report by January 31, 2011, so we will be discussing the report with our members.
