A Preliminary FTC Staff Report on "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers" #00355

Submission Number:
C Calderone
Initiative Name:
A Preliminary FTC Staff Report on "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers"
Comments on FTC Proposed Privacy Framework I offer the following simple proposals in response to requests for comments: In order to improve consumer understanding, require websites to have periodic (monthly) audit and updates to the consumer privacy choices. As they return to the website, consumers will have a higher probability of reading important language and understanding their choices. At the same time, the company would have the consumer accept the Privacy Policy multiple times, making informed consent more reliable. The FTC call to increase transparency seems counterproductive. What consumer is going to understand all the implications of allowing meta-data collection Even putting it into plain English and saying whether data is scrubbed or tokenized is unlikely to promote real understanding and awareness. I believe more good would come from the FTC publishing minimum standards for safeguarding information. FTC could and should set universal privacy definitions and the use of a logo or identifiable mark makes sense. What a certain privacy standard means needs to be consistent and understood by both retailers and consumers as they move from site to site. Standard definitions will also help the companies research, plan, and set their privacy policy levels to correspond to the definitions. Moreover, it would be beneficial to understand how, if they use tokenization or other anonymizing technology to scrub personally identifiable information, they meet a certain level of personal privacy. Let us assume that people are generally not pro-active. The FTC acknowledges that people will not read more than a quick blurb or two about their privacy rights and have required shorter policies. To further assist with this, a defined and coded simple standard will do far more to protect consumers than elaborate by design models will. As an attorney, even I do not read complete privacy policies on many of the websites I visit. However, a simple blurb, or a PG rating and a link to a wiki definition, would be easy for anyone to understand. p. 20/122-Enforcement Look at what works for Facebook. It is not the their Privacy Policy approach that matters, but rather the reactions of the user community. Let FTC Approved labels go on websites that Say what they do and do what they say. Good Housekeeping type seal of approval can and would work. If it is part of a licensing process, fees could be charged to offset the FTC costs. This would allow pro-active compliance instead of reactive to complaints of criminal behavior or malfeasance. The example to follow might be that of becoming a member of the EU Data Protection Act's Safe Harbor provision. Why do consumers need to have access to "their data " In most instances, the only safe option is to have it anonymized and/or deleted. Do Not Track makes little sense because some tracking is necessary for security purposes. Also, a main reason for collecting cookie data is to keep the consumer experience positive. If do not track means having to re-enter all data, even when you are checking on shipping for a previously placed order, then it will never be an acceptable choice for a consumer. There may still be indirect tracking so why not allow certain information for the purposes of support and troubleshooting. Company websites would need to have consumers consent to waiving their DNT rights in order to do business on the site. Once this occurs then DNT is likely to have no effect. Another argument would be that there can be a public benefit to knowing basic site traffic information similar to a Nielsen rating for a television broadcast. For example, wouldn't the FTC benefit by monitoring information on how many website visitors actually click or scroll on the Privacy Policy