Here it Comes – Internet Privacy Regulation

The US Government Accountability Office (GAO), which provides auditing, evaluation and investigative services for Congress, has issued a reporton Internet data privacy. Two years in the making, the report suggests that "Comprehensive Internet privacy legislation that establishes specific standards and includes traditional notice-and-comment rulemaking and broader civil penalty authority could enhance the federal government's ability to protect consumer privacy." It also said that, "Recent developments regarding Internet privacy suggest that this is an appropriate time for Congress to consider comprehensive Internet privacy legislation."

No, they didn't come out and say Facebook there, but it's between the lines.

The report looks at the ad hoc responses to privacy that the current (non)system encourages. The Federal Trade Commission (FTC) has been addressing Internet privacy through its "unfair and deceptive practices" authority, among other statutes, and other agencies have been addressing privacy using industry-specific statutes. The report writers found that some stakeholders believe that FTC's reliance on its unfair and deceptive practices authority to address Internet privacy issues has limitations. Some of the tools it uses are not legal requirements and so the FTC cannot rely on them to define what constitutes unfair and deceptive practices related to privacy and data security.

Also, a former Federal Communications Commission (FCC) commissioner told the investigators that a new privacy statute could enhance Internet privacy oversight by creating uniform standards for all players in the Internet ecosystem that are focused on the consumer rather than the regulatory legacy of the companies involved. He was referring to regulations that apply to specific types of companies based on what they are or used to be, such as telecommunications carriers, cable companies, broadcasters or mobile wireless providers.

In a 2013 report, the GAO found "the current U.S. privacy framework is not always aligned with the Fair Information Practice Principles and that these principles provide a framework for balancing the need for privacy with other interests."

In particular, the GAO noted ""there are limited privacy protections under federal law for consumer data used for marketing purposes. We said that although the Fair Information Practice Principles call for restraint in the collection and use of personal information, the scope of protections provided under current law has been narrow in relation to: (1) individuals' ability to access, control, and correct their personal data; (2) collection methods and sources and types of consumer information collected; and (3) new technologies, such as tracking of web activity and the use of mobile devices … Companies are not always following the Fair Information Practice Principles, such as that companies' data practices should be transparent, allow consumers the right to access and edit their data, and limit the collection of data to the extent feasible."

Google and Facebook must be sweating now, eh?

The House Energy and Commerce Committee has scheduled a hearing for February 26 in which it will discuss the GAO's recent report as well as the possibility of drafting a federal-level Internet privacy law. Things might actually get real this time around.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.