FTC Testifies on New Framework for Protecting Consumer Privacy

The Federal Trade Commission testified before Congress on its new privacy framework, which sets out best practices for companies to protect the privacy of American consumers and reemphasizes the agency's support for implementation of a "Do Not Track" mechanism that would allow consumers to control the tracking of their online activities across websites.

In delivering Commission testimony before the House Committee on Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade, FTC Chairman Jon Leibowitz said it is a "decisive moment" for consumer privacy. The testimony goes on to describe the FTC's new privacy report, issued on Monday, which recommends that companies adopt best practices for protecting consumer privacy; the continued implementation of a Do Not Track mechanism that would allow consumers to choose whether they want to allow websites to collect information about their Internet activity; and that consumers gain greater access to information about them that is held by data brokers.

"While more work remains to be done on Do Not Track, the Commission believes that the developments to date are significant and provide an effective path forward," the testimony states.

The report, titled "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers," advocates three main principles for protecting consumer privacy: First, companies should adopt a "privacy by design" approach by building privacy protections into their everyday business practices. Second, companies should provide simpler and more streamlined choices to consumers about their data practices. Third, companies, particularly those that don't deal directly with consumers, such as data brokers, should take steps to make their data practices more transparent by, for example, improving their privacy disclosures and giving consumers reasonable access to the data that companies maintain about them.

According to the testimony, the new FTC privacy report also commends initiatives undertaken by a number of companies that have begun to step up to the challenge since the agency first voiced its support for a Do Not Track mechanism in 2010: Microsoft, Mozilla, Apple and Google, as well as initiatives by the online advertising industry through the Digital Advertising Alliance and the World Wide Web Consortium, an international standard-setting body.

The privacy report also recommends that data brokers that compile information for marketing purposes make their operations more transparent by exploring creation of a centralized website to identify themselves, and that they disclose how they collect and use consumer data. The website would detail the choices that these data brokers provide consumers about their own information.

The Commission recommends Congress consider enacting general privacy legislation, and that it enact data security and breach notification legislation and targeted legislation to address data brokers, the testimony states. It also urges individual companies and self-regulatory bodies to accelerate the adoption of the principles contained in the privacy framework, to the extent they have not already done so.

The testimony describes how the FTC, the nation's chief privacy policy and enforcement agency, has focused on privacy protection for at least 40 years, and has undertaken substantial efforts to promote privacy in the private sector through education, policy initiatives and enforcement. Earlier this week, for example, the FTC announced an enforcement action against RockYou, a social media service that allegedly failed to use reasonable security measures for consumers' data, and collected information from about 179,000 children without obtaining the required parental consent under the Children's Online Privacy Protection (COPPA) Rule. Under a settlement with the agency, RockYou must implement a data security program that is subject to independent, third-party audits for 20 years and pay a $250,000 civil penalty.

In addition to the privacy framework report issued on Monday, the FTC also issues reports and holds public workshops examining the implications of new technologies and business practices on consumer privacy, the testimony notes. In February 2012, for example, the FTC released a staff report on mobile applications for children that found that, for the most part, neither app stores nor app developers disclose to parents what data apps collect from children, how apps share it, and with whom. The agency plans to hold a workshop in May 2012 to discuss how such information should be provided to consumers.

The FTC also is in the midst of a comprehensive review of the Children's Online Privacy Protection Rule, known as the COPPA Rule, in light of rapidly evolving technology and changes in the way children use and access the Internet. The agency hosted a workshop in December 2011 exploring facial recognition technology and the privacy and security implications raised by its increasing use. Also, according to the testimony, the FTC intends to examine the practices of large platforms – such as Internet browser companies, mobile operating system providers, Internet service providers, and social media services – that can collect data from across the Internet to build extensive profiles about consumers. Commission staff will host a workshop in the second half of 2012 to examine questions about the scope of such data collection practices, the potential uses of the collected data, and related issues.

In addition, the Commission supports the recent efforts and approach developed by the Department of Commerce regarding privacy issues, and looks forward to working together with the Department and the Administration as they move forward in their efforts.

The Commission vote approving the testimony and its inclusion in the formal record was 3-1, with Commissioner J. Thomas Rosch dissenting.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC's online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC's website provides free information on a variety of consumer topics. Like the FTC on Facebook and follow us on Twitter.