The Federal Trade Commission has issued its Final Privacy Framework Report that outlines guidelines for how companies can and cannot use consumer data on the Internet. The initial report was released in Dec. 2010 and the FTC took in consideration 453 public comments in the final report. The FTC provides guidelines for Do-Not-Track provisions, how information can be tracked on mobile devices and how large platform providers like Facebook and Google can use consumer data.
Since the initial report, the FTC brought enforcement actions against both Facebook and Google to, “require the companies to obtain consumers’ affirmative express consent before materially changing certain of their data practice and to adopt strong, company-wide privacy programs that outside auditors will assess for 20 years.” While Google and Facebook drew the ire of the FTC, any company that tracks personal consumer data on the Web is now put on notice.
We urge industry to continue to move forward with a Do-Not-Track system that would let consumers choose what information is collected about them online and how it is used … We call on Congress to enact legislation addressing data security, which we long supported. And data brokers, without the support or even the knowledge of the vast majority consumers, collect and traffic the data we have left behind as we travel through virtual and brick-and-mortar worlds.” ~ Jon Leibowitz, chairman, Federal Trade Commission.
Five Focuses
The FTC is focusing on five action items in the privacy report. It also changed the scope of framework to take burden off of small business. The final report concludes that the framework, “should not apply to companies that collect and do not transfer only non-sensitive data from fewer than 5,000 consumers a year.”
The primary theme of the FTC privacy framework is to prohibit companies from tying consumers to personally identifiable data. Comments on the original report cited concerns that new technologies make it easier for companies to “reasonably link” personal data to individual consumers. For instance, data created on Facebook or a Google account tied to Google+ could be reasonably linked to a specific individual. “The final report concludes that data is not ‘reasonably linked’ if a company takes reasonable measures to de-identify the data, commits not to re-identify it, and prohibits downstream recipients from re-identifying it.”
The five main action items in the report:
Do-Not-Track: Includes browser vendors that have developed tools to allow consumers to limit data collected on them. Commends the Digital Advertising Alliance, a self-regulatory group of the advertising industry, on developing an icon-based system to honor the browser tools as well as the W3C on created standards to protect consumer data.
Mobile: Urges companies to work toward improved privacy protections and to development meaningful disclosures. The FTC has also created a project to update its business guidance about online advertising disclosures. The FTC is holding a workshop in D.C. on May 30, 2012 to discuss mobile privacy, advertising and consumer data.
Data Brokers: Consumers often do not know how they are being tracked on the Web and do not have the ability to figure it out. The FTC recommends that data brokers create a centralized website to identify themselves to consumers and detail the access rights and other options they provide for the consumer data they maintain.
Large Platform Providers: This includes Internet Service Providers, operating systems like Windows or Mac OS X, Android or iOS, browsers, and social media platforms like Twitter or Facebook. The ability of these platforms to track consumers’ online activities raises privacy concerns. The FTC plans a workshop on large platforms in the second half of 2012.
Promoting Enforceable Self-Regulatory Codes: The Department of Commerce is undertaking a project to facilitate development of sector-specific codes of conduct. Companies that adhere to the privacy framework will be viewed favorably in connection with the FTC’s law enforcement work. “The Commission will also continue to enforce the FTC Act to take action against companies that engage in unfair or deceptive practices, including the failure to abide by self-regulatory programs they join.”
The three pillars of the framework are; “Privacy by Design;” Simplified Choice for Businesses and Consumers;” and “Greater Transparency.”
“Your computer is your property,” said FTC chairman Jon Leibowitz, “No one, no one, has the right to put something on it that you don’t want.”
Broad Strokes
The FTC said that about 90% of online advertisers, tech companies and the DAA support Do-Not-Track and feel confident that self-regulation will encourage adherence to the FTC privacy framework.
The big issues outside of Do-Not-Track are how mobile data is handled and what can be done about the platform providers, especially Google and Facebook. More so than any other companies, Google and Facebook fit into all of the categories that the FTC has concerns about in terms of operating systems, social platforms, mobile presence and data and large data brokers.
“Just recently, Facebook and Google have signed FTC consent orders to give consumers more privacy choices and to obtain outside audits for their privacy practices,” Leibowitz said. “Actions that protect well over one billion users worldwide. It is a staggering number, especially for a small agency like ours.”
Few digital companies are outside the scope of the FTC report. Some are affected more than others, such as Facebook and Google but also companies like CarrierIQ, the cellular operators and ISPs, and advertising networks that have data dossiers on millions of consumers.
Outside of what the FTC has outlined with its privacy framework, the commission does not plan on adding any new mechanisms to its enforcement actions other than creating advanced rules for how children are tracked online later in the year.
Some question whether or not the FTC has bite behind its words. As an enforcement agency, it can take actions against companies that opt-in to its guidelines but many feel that legislation, especially around Do-Not-Track, is necessary if the government really wants to protect consumers on the Internet.
What do you think of the FTC’s framework? Is it comprehensive enough? Will it deter ad networks, Facebook or Google from violating user privacy? Or, is the FTC a paper tiger in the government system, roaring loudly for the cameras but unable to enact meaningful reform? Let us know you thoughts in the comments.