11:41 PM

FTC Proposes Privacy Reforms For Online Business

"Do Not Track" list could be in the offing; privacy policies could become simpler, clearer

The Federal Trade Commission today issued a report that recommends significant revisions of current online policy rules regarding consumers.

The 122-page report, which has been long awaited by privacy advocates, outlines a variety of proposals designed to simplify privacy rules and give consumers more choice about the way they are tracked on the Internet.

The Commission staff is proposing a new framework for addressing the commercial use of consumer data, using the model. This framework builds upon the notice-and-choice and harm-based models, the FTC’s law enforcement experience, and a series of roundtable discussions, according to the report.

The proposed framework would apply broadly to online and offline commercial entities that collect, maintain, share, or otherwise use consumer data that can be reasonably linked to a specific consumer, computer or device. It contains three main components.

First, companies should adopt a "privacy by design" approach by building privacy protections into their everyday business practices, the report says. "Such protections include providing reasonable security for consumer data, collecting only the data needed for a specific business purpose, retaining data only as long as necessary to fulfill that purpose, safely disposing of data no longer being used, and implementing reasonable procedures to promote data accuracy."

Companies also should implement and enforce "procedurally sound" privacy practices throughout their organizations, the report says, "including, for instance, assigning personnel to oversee privacy issues, training employees on privacy issues, and conducting privacy reviews when developing new products and services. Such concepts are not new, but the time has come for industry to implement them systematically."

Second, the report proposes that companies provide choices to consumers about their data practices in a simpler, more streamlined way than has been used in the past. "Under this approach, consumer choice would not be necessary for a limited set of 'commonly accepted' data practices, thus allowing clearer, more meaningful choice with respect to practices of greater concern," the report says.

In a nutshell, this means that companies could reasonably collect data such as delivery addresses without the consumer's specific consent, but they would require consent for other types of data collection that might be considered more invasive.

For data practices that are not "commonly accepted," consumers should be able to make informed and meaningful choices, the FTC says. "Depending upon the particular business model, this may entail a 'just-intime' approach, in which the company provides the consumer with a choice at the point the consumer enters his personal data or before he accepts a product or service," the report says.

"One way to facilitate consumer choice is to provide it in a uniform and comprehensive way," the report continues. "Such an approach has been proposed for behavioral advertising, whereby consumers would be able to choose whether to allow the collection and use of data regarding their online searching and browsing activities. The most practical method of providing such universal choice would likely involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices about being tracked and receiving targeted ads."

The FTC says it supports this approach, sometimes referred to as the "Do Not Track" list, a variation of the "Do Not Call" list that is designed to protect consumers from telemarketing.

Third, the report proposes a number of measures that companies should take to make their data practices more transparent to consumers. "For instance, although privacy policies may not be a good tool for communicating with most consumers, they still could play an important role in promoting transparency, accountability, and competition among companies on privacy issues – but only if the policies are clear, concise, and easy to read. Thus, companies should improve their privacy policies so that interested parties can compare data practices and choices across companies."

The FTC also proposes providing consumers with "reasonable access" to the data that companies maintain about them, particularly for companies that do not interact with consumers directly, such as data brokers.

Finally, the report proposes that stakeholders undertake a "broad effort" to educate consumers about commercial data practices and the choices available to them. "Increasing consumer understanding of the commercial collection and use of their information is important to facilitating competition on privacy across companies," the report says.

Reactions to the FTC proposals, predictably, were mixed. Privacy advocates generally supported the report's recommendations, but some IT and online marketing organizations were opposed.

"The current cookie based opt-out system is ineffective in managing consumer choices," said Christopher Wolf, co-chair of the Future of Privacy Forum. "Rightly, the Commission calls for a better system for users to be able to control online data collection. The Commission was widely expected to call for legislation of a Do Not Track mechanism, but wisely left the door open to either legislative or self regulatory solutions. The industry should act quickly to explore and implement a Do Not Track mechanism that both supports responsible advertising practices and enhances consumer controls and choices."

Daniel Castro, a senior analyst with the Information Technology and Information Foundation, is scheduled to give testimony to Congress that opposes the Do Not Track mechanism.

"In his testimony Castro will explain that such a mandate, if widely adopted, would significantly harm the current funding mechanism for the Internet ecosystem, resulting in less free Internet content and fewer free services," the ITIF said in a statement. "In addition, it would be costly to implement, difficult to enforce, and result in more intrusive and less relevant advertising for consumers."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.