New Privacy Report From Federal Trade Commission (FTC)

The FTC released its 122 page Privacy Report today.  This Report has been anticipated for some time. The FTC Chairman, Jon Leibowitz, summed up the purpose behind the FTC’s involvment in data privacy and security with release of the Report stating:

Technological and business ingenuity have spawned a whole new online culture and vocabulary – email, IMs, apps and blogs – that consumers have come to expect and enjoy. The FTC wants to help ensure that the growing, changing, thriving information marketplace is built on a framework that promotes privacy, transparency, business innovation and consumer choice. We believe that’s what most Americans want as well.

The Report is issued as "A Proposed Framework For Business and Policymakers."  The Report is intended to "inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy."  It is also intended to be a framework for how companies should address privacy. 

The biggest news making aspect of the Report is the endorsement of a Do Not Track system that would permit consumers to limit or control the amount of information given to advertisers that track consumers’ online behavior.  This would be similar to the Do Not Call registry. 

For an excellent review of this far reaching Report, and its implications, read this post on the Privacy and Security Law Blog.  For more information on the Do Not Track and online behavior tracking aspects of the Report, here is a post from Electronic Frontier Foundation.  In the days ahead, there will be many more blog posts about the Report.

For now, if you are a company that collects data for online behavior tracking or stores personally identifiable information (PII such as name, address, ss#, date of birth, etc),  this Report should be reviewed albeit with the understanding that it is a proposed framework and will not be a final report until sometime in 2011.  The Report will be subject to much debate and critical comment, but might also serve as a best practices guide post. 

My general take away points from the Report are that the FTC: 

  • Endorses a Do Not Track system
  • Expects privacy policies to be based on notice and choice for consumers
  • Opines that many companies "do not adequately address consumer privacy"
  • States privacy policies should reflect the level of sensitivity of the data it seeks to protect
  • Wants companies to promote consumer privacy throughout development of its services and products or adopt "privacy by design"
  • Wants Companies to make it easier for consumers to understand privacy policies and data collection
  • Wants consumers to have more choice on opt in or opt out for data collection

The FTC will take public comment on the Report (click here) until January 31, 2011.

Wondering Where The Line Is On Internet Privacy – – Just Watch Facebook

My firm receives many calls from new or existing businesses with Internet privacy questions.  Many calls come from e-commerce businesses, start ups, or businesses that want to utilize information gathered from users accessing their Web sites. Some business owners have ideas or concepts that test the limit on use of user profiles, preferences, and content.  The question becomes, just what are the limits for user expectations on privacy?

Take Facebook for example.  Facebook has a reported 400 million users.  Facebook is constantly in the headlines over its privacy policies and security settings related to its user’s profile information.  Whether it is a class action lawsuit in California  or the recent $10 million settlement for its Beacon program, you can count on Facebook to have dealt with any number of privacy issues in litigation.  

Recently, another lawsuit has been filed over Facebook’s "opt out" setting concerning the instant personalization feature.  Wendy Davis on  Online Media Daily reported on the story.  This feature automatically shares user information with three outside companies, Microsoft Docs, Pandora, and Yelp.  The lawsuit was filed in U.S. District Court in Rhode Island for violation of the Stored Communications Act (Download here).  By my count, Facebook has been sued at least 30 times in Federal court in recent years.

In the Internet privacy area, Facebook tests the outer limits of what is acceptable for privacy rights and user expectations.  When Facebook makes a change or tries something new, everyone pays attention.  As a result, Facebook’s privacy policies get vetted by 400 million users, numerous industry and trade groups, leading technology blogs like TechCrunch, and even the federal government. 

If you want to know what crosses the line when it comes to privacy on the Internet,  just watch Facebook.   

Will Data Protection Laws Ever Catch Up To New Technology?

That was the question posed in an email newsletter I received today from the International Association of Privacy Professionals.   I am a member of this group out of personal interest and to to stay on top of issues related to privacy laws and technology.   One of the benefits of belonging to this group is that I get email newsletters with summaries of new laws, regulations, and lawsuits dealing with privacy issues from all over the world. 

Today’s email posed the question in the title of this post and featured an article from the New York Times by Natasha Singer called "Shoppers Have No Secrets."   The article details the technology of "behavioral tracking" by retail and advertising businesses and how the Federal Trade Commission (FTC) is playing catch up when it comes to regulating this technology.

Online behavioral tracking has been a hot button issue for both businesses and privacy rights groups for a few years.  Natasha’s article lists several types of new tracking to include:

  • Cameras that can follow you from the minute you enter a store to the moment you hit the checkout counter, recording every T-shirt you touch, every mannequin you ogle, every time you blow your nose or stop to tie your shoelaces.
  • Web coupons embedded with bar codes that can identify, and alert retailers to, the search terms you used to find them.
  • Mobile marketers that can find you near a store clothing rack, and send ads to your cellphone based on your past preferences and behavior.

The article is a very good summary of the issue and has links to advocacy groups on both sides of the debate.  The article also highlights the differences between European and US based privacy laws. In general, the EU is far more advanced and stringent when it comes to personal data protection. 

In the US, the FTC publishes guidelines and takes enforcement action under its authority to regulate unfair trade.  There are also the states’ Attorney Generals and class action and individual lawsuits.  Nevertheless, to answer the question I posed in this post, it is clearly a "NO" in the US.   Data protection laws will not catch up to new technology. At least, not anytime soon.

So, should Connecticut businesses ignore consumer privacy issues?    Not if the business wants to stay ahead of the game and out of litigation over privacy violations.   The FTC and state Attorneys General still have broad enforcement powers to regulate unfair trade.  Also, individual consumers continue to bring lawsuits over these issues.  

For Connecticut businesses, it is a good idea or best practices to implement  a policy related to protection of consumer data, preferences, and personal identifiers.  I have posted some tips about these issues before.  If you are looking for "do it yourself" resources, another good place to start is the FTC guidelines on behavioral tracking or its Guide for Business in protecting personal information. 

Of course, by the time you implement a privacy plan for today’s technology, it will be time to start updating it for what tomorrow brings.  Good thing I get an email to remind me.