FTC Proposes Privacy Reforms For Online Business

Do Not Track list could be in the offing; privacy policies could become simpler, clearer

Tim Wilson, Editor in Chief, Dark Reading, Contributor

December 1, 2010

5 Min Read

The Federal Trade Commission today issued a report that recommends significant revisions of current online policy rules regarding consumers.

The 122-page report, which has been long awaited by privacy advocates, outlines a variety of proposals designed to simplify privacy rules and give consumers more choice about the way they are tracked on the Internet.

The Commission staff is proposing a new framework for addressing the commercial use of consumer data, using the model. This framework builds upon the notice-and-choice and harm-based models, the FTC’s law enforcement experience, and a series of roundtable discussions, according to the report.

The proposed framework would apply broadly to online and offline commercial entities that collect, maintain, share, or otherwise use consumer data that can be reasonably linked to a specific consumer, computer or device. It contains three main components.

First, companies should adopt a "privacy by design" approach by building privacy protections into their everyday business practices, the report says. "Such protections include providing reasonable security for consumer data, collecting only the data needed for a specific business purpose, retaining data only as long as necessary to fulfill that purpose, safely disposing of data no longer being used, and implementing reasonable procedures to promote data accuracy."

Companies also should implement and enforce "procedurally sound" privacy practices throughout their organizations, the report says, "including, for instance, assigning personnel to oversee privacy issues, training employees on privacy issues, and conducting privacy reviews when developing new products and services. Such concepts are not new, but the time has come for industry to implement them systematically."

Second, the report proposes that companies provide choices to consumers about their data practices in a simpler, more streamlined way than has been used in the past. "Under this approach, consumer choice would not be necessary for a limited set of 'commonly accepted' data practices, thus allowing clearer, more meaningful choice with respect to practices of greater concern," the report says.

In a nutshell, this means that companies could reasonably collect data such as delivery addresses without the consumer's specific consent, but they would require consent for other types of data collection that might be considered more invasive.

For data practices that are not "commonly accepted," consumers should be able to make informed and meaningful choices, the FTC says. "Depending upon the particular business model, this may entail a 'just-intime' approach, in which the company provides the consumer with a choice at the point the consumer enters his personal data or before he accepts a product or service," the report says.

"One way to facilitate consumer choice is to provide it in a uniform and comprehensive way," the report continues. "Such an approach has been proposed for behavioral advertising, whereby consumers would be able to choose whether to allow the collection and use of data regarding their online searching and browsing activities. The most practical method of providing such universal choice would likely involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices about being tracked and receiving targeted ads."

The FTC says it supports this approach, sometimes referred to as the "Do Not Track" list, a variation of the "Do Not Call" list that is designed to protect consumers from telemarketing.

Third, the report proposes a number of measures that companies should take to make their data practices more transparent to consumers. "For instance, although privacy policies may not be a good tool for communicating with most consumers, they still could play an important role in promoting transparency, accountability, and competition among companies on privacy issues – but only if the policies are clear, concise, and easy to read. Thus, companies should improve their privacy policies so that interested parties can compare data practices and choices across companies."

The FTC also proposes providing consumers with "reasonable access" to the data that companies maintain about them, particularly for companies that do not interact with consumers directly, such as data brokers.

Finally, the report proposes that stakeholders undertake a "broad effort" to educate consumers about commercial data practices and the choices available to them. "Increasing consumer understanding of the commercial collection and use of their information is important to facilitating competition on privacy across companies," the report says.

Reactions to the FTC proposals, predictably, were mixed. Privacy advocates generally supported the report's recommendations, but some IT and online marketing organizations were opposed.

"The current cookie based opt-out system is ineffective in managing consumer choices," said Christopher Wolf, co-chair of the Future of Privacy Forum. "Rightly, the Commission calls for a better system for users to be able to control online data collection. The Commission was widely expected to call for legislation of a Do Not Track mechanism, but wisely left the door open to either legislative or self regulatory solutions. The industry should act quickly to explore and implement a Do Not Track mechanism that both supports responsible advertising practices and enhances consumer controls and choices."

Daniel Castro, a senior analyst with the Information Technology and Information Foundation, is scheduled to give testimony to Congress that opposes the Do Not Track mechanism.

"In his testimony Castro will explain that such a mandate, if widely adopted, would significantly harm the current funding mechanism for the Internet ecosystem, resulting in less free Internet content and fewer free services," the ITIF said in a statement. "In addition, it would be costly to implement, difficult to enforce, and result in more intrusive and less relevant advertising for consumers."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights