Response was swift and generally positive to the Federal
Trade Commission's release of its final report on privacy protection in the
digital age.
The report backs a voluntary do-not-track regime, both
browser- and website-based, but suggests legislation is needed to regulate
online data brokers and a general online privacy framework that will put teeth
into voluntary efforts to provide consumers more transparency, choice and
control.
"It is gratifying to see that the input provided by the
Future of Privacy Forum was useful to the FTC, which repeatedly cites the Forum
in the Report," said Christopher Wolf, co-chair of the Future of Privacy
Forum. "The FTC's definition of the scope of privacy protection is
flexible and sensible, and allows for use of de-identified data.
"It is not surprising that the Commission joins in the call
for baseline privacy legislation and data security legislation. There appears
to be a groundswell of support for legislation. With that said, the FTC has
called for legislation before, so by itself, this support will not necessarily
lead to legislation anytime soon. On Do Not Track, the FTC correctly is
prepared to wait for the ongoing self-regulatory efforts to proceed. A lot of
progress has been made and can be expected."
Jeff Chester of the Center for Digital Democracy has been
one of the leading voices for online privacy protections. He praised the
effort, but called for more. "The Commission's new privacy report zeros in
on one of the most glaring threats to consumers today-the growth of the
online-merged with-offline data collection complex. In its call for
Congress to enact legislation to rein in the data broker industry, the FTC has
opened up an important new ‘front' in the battle to protect consumer privacy...
Overall, the FTC's call for ensuring the public has greater control over how
their data is collected and used online, should prompt industry leaders to
rethink how they address protecting consumer privacy. The FTC's further
clarification of what is considered personally identifiable also is a step
forward."
In order to be able to anticipate future uses of data, FTC
recommends a definition of personally identifiable information in terms of
"data that, while not traditionally considered personally identifiable, is
linkable to a consumer or device."
But the battle remains. "We call on the FTC to
specifically spell out how to ensure consumers have meaningful "choice" to
control the collection and use of their information," said Chester.
"The commission's overall support for industry self-regulation (such as
the largely invisible ‘icon' placed on ads) is disappointing, and reveals a FTC
still too often constrained from effectively protecting the public."
While a source said cable operators and phone companies lobbied hard for being able to use deep packet inspection, the FTC decided that ISPs who use DPI are engaging in a different relationship with the customer and
"should not be exempt from having to provide consumers with choices" over whether or not its packets get inspected. "This is true whether the entity tracks consumers through the use of DPI, social plug-ins, http cookies, web beacons, or some other type of technology."
"The commission resisted calls from the telephone and cable lobby to endorse the controversial Deep-Packet Inspection (DPI) surveillance system,"s aid Chester. "The FTC plans to hold a workshop and conduct further study on this critical privacy and civil liberties issue, which is prudent."
Adonis Hoffman, communications professor at Georgetown and
former general counsel at the American Association of Advertising Agencies,
praised the report as a good balancing act between regulation and the
marketplace.
"Once again, the FTC has shown its sensitivity for the
need to balance consumer interests with business realities," he told B&C/Multi. "This report puts the burden on companies to implement
privacy best practices, and it commendably exempts small businesses from this
burden. As with any self-regulatory framework, the test will be enforcement.
Predictably there is bound to be one or more examples of bad behavior where
consumers get harmed. When that happens, it will be incumbent on the FTC
to come up with strong sanctions and send a clear message that consumer privacy
matters. If the Commission does not act boldly in those cases, it will run the
risk of being seen as too cozy with the industries it regulates. All things considered,
the report should provide a good predicate for any major privacy
legislation."
Amy Mushahwar, data privacy & security attorney at Reed
Smith LLP, was all for self-regulation. "We agree with the FTC that
industry's self-regulatory efforts concerning the development of a Do Not Track
browser standard have come a long way during the past year, and we also agree
with the FTC that the significant progress already made by the Digital
Advertising Alliance will likely obviate the need for legislation on this
issue," she said in an e-mailed statement. "It is the right thing to
do, and it is getting done. The fact that the FTC is continuing to work
with industry on these issues is a very positive sign."
FTC Chairman Jon Leibowitz told reporters Monday he was very
confident a "do not track" regime for online data could be achieved
short of legislation.
