This week MediaShift will be running an in-depth special report on Online Privacy, including a timeline of Facebook privacy issues, a look at how political campaigns retain data, and a 5Across video discussion. Stay tuned all week for more stories on privacy issues.
Online privacy is the new openness.
After years of telling all on the Internet, of tweeting about armpit rashes and tantric sex, we may have gone too far, shared too much. We may have lost control of the information that we reveal about ourselves and of the way others use that information. Which is a bad thing.
That’s the thinking, at least, behind two government reports released at the end of 2010. The first one, produced by the Federal Trade Commission (FTC), outlines a plan to regulate the “commercial use of consumer data.” The second one, produced by the Commerce Department, recommends that the federal government “articulate certain core privacy principles” for the Internet. Together they show that online privacy is very much on the public agenda.
FTC ENDORSES “DO NOT TRACK”
The FTC report, titled Protecting Consumer Privacy in an Era of Rapid Change, begins by noting that “consumer information is more important than ever” and that “some companies appear to treat it in an irresponsible or even reckless manner.” It says data about consumer online activity and browsing habits are “collected, analyzed, combined, used, and shared, often instantaneously and invisibly.”
For example, if I browse online for a product, which I often do, then advertisers could collect and share information about me, including my search history, the websites I visit and the kind of content I view. Likewise, if I participate in a social networking site, which I do, then third-party applications could access the stuff I post on my profile. Today my only lines of defense would be to adjust the privacy controls on my browser, to download a plug-in, or to click the opt-out icon that sometimes appears near an ad.
That’s not good enough, according to the FTC report, which is intended to be a roadmap for lawmakers and companies as they develop policies and practices to protect consumer privacy. To that end, the FTC made three proposals.
First, companies should build “privacy protections into their everyday business practices.” More specifically, they should provide “reasonable security for consumer data,” they should collect “only the data needed for a specific business purpose,” they should retain “data only as long as necessary to fulfill that purpose,” they should safely “dispose of data no longer being used,” and they should create “reasonable procedures to promote data accuracy.” In addition, they should implement “procedurally sound privacy practices throughout their organizations.”
Although it’s unclear what would constitute a “specific business purpose,” those suggestions to a great degree reflect existing law. Section 5 of the FTC Act, which prohibits unfair or deceptive practices, can be used to nail companies that fail to secure consumer information. Similarly, the Gramm-Leach-Bliley Act requires financial institutions to take certain steps to secure their information, and the Fair Credit Reporting Act requires consumer agencies to ensure that the entities receiving their information have a permissible reason to receive it. The latter also imposes “safe disposal” obligations on those entities.
Second, companies should “provide choices to consumers about their data practices in a simpler, more streamlined way.” This would allow consumers in some transactions to choose the kind and amount of information they reveal about themselves. I say “in some transactions” because companies would have to distinguish between “commonly accepted data practices” and those “of greater concern.”
The former includes ordinary transactions in which consumer consent is implied, e.g., I buy a book through Amazon, and I give the company my shipping address. No big deal, says the FTC. The latter, however, includes activities and transactions in which consent is not implied, e.g., an online publisher allows a third party to collect data about my use of the publisher’s website. Big deal, says the FTC.
Where consent is not implied, consumers “should be able to make informed and meaningful choices,” and those choices should be “clearly and concisely described.” In the context of online advertising, that means I would be able to choose whether to allow websites to collect and share information about me. The most practical way to give me that choice, according to the FTC, is to place a persistent setting on my browser to signal whether I consent to be tracked and to receive targeted ads. This “do not track” mechanism could give consumers the type of control online that they have offline with the “do not call” list for telemarketers.
Third, companies should “make their data practices more transparent to consumers.” They should ensure that their privacy policies are “clear, concise and easy-to-read,” and in some circumstances they should allow consumers to check out the data kept about them. Those circumstances remain unclear, but the report says if a company maintains consumer data that are used for decision-making purposes, then it could be required to allow consumers to review that data, essentially to give them the chance to correct any errors.
It’s a good thing for the FTC to encourage companies to revisit their privacy policies. Most of them are long and dense and monuments to legalese, and some companies seem to notify me every week about changes to their terms and conditions. Nowhere is their ineffectiveness more apparent than in the world of mobile devices, which often spread privacy policies across dozens of screens, 50 words at a time. On the Internet, meanwhile, it would take consumers hundreds of hours [PDF file] to read the privacy policies they typically encounter in one year. That’s hardly helpful to the consumer.
All in all, the FTC report has received mixed reviews. Some say its recommendations won’t stop the information free-for-all, while others say it’s promising and a step in the right direction. In any case, the commission will need the help of Congress to implement the plan, and that help isn’t a sure thing.
COMMERCE DEPT. CALLS FOR PRIVACY CODES
The Commerce Department report, very sexily titled Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework [PDF file], begins by noting that consumer privacy must address “a continuum of risks,” such as minor nuisances and unfair surprises, as well as the disclosure of sensitive information in violation of individual rights. The report’s purpose is to stimulate discussion among policymakers, and it includes recommendations in four areas.
First, the government should “revitalize” the FTC’s Fair Information Practice Principles, a code that addresses how organizations collect and use personal information and the reasonableness of those practices. The amended code should “emphasize substantive privacy protection rather than simply creating procedural hurdles.” The specifics are similar to those in the first section of the FTC report: the code should call on companies to be more transparent, it should articulate clear purposes for data collection, it should limit the use of data to those purposes, and it should encourage company audits to enhance accountability.
Well, this makes me think of the old saw that socialism is good in theory but doesn’t work. Whether or not that’s true, too often the same can be said (truthfully) of voluntary codes. To make this scheme work, at the very least, the FTC should be given rulemaking authority to develop binding codes in the event the private sector doesn’t act. Alternatively, as the report suggests, the FTC could ramp up its enforcement of existing privacy laws, to encourage companies to buy in to the voluntary codes, on the theory that the buy-in would entitle them to a legal safe harbor. In other words, complying with a voluntary code would create a presumption of compliance with any privacy legislation based on the amended Fair Information Practice Principles.
Fourth, Congress should pass a law to standardize the notification that companies are required to give consumers when data-security breaches occur. Lawmakers also should address “how to reconcile inconsistent state laws,” because the differences among them have created undue costs for businesses and have made it more difficult for consumers to understand how their information is protected throughout the country.
In the privacy world my sympathies are chiefly with the consumer, but the patchwork of state security breach notification (SBN) laws is a very real challenge for businesses. Not long ago, I worked with a company that had offices in a number of states, and as a result, it had to comply with a number of different state SBN laws. They were variations on the same theme, of course, but the differences had to be accommodated. The devil was in the details, and from that work it became obvious to me that the compliance costs were high and the benefits low: Some people get better notification than others. That’s neither fair for the consumers nor ideal for the company.
The reaction to the Commerce Department report, like the one to the FTC report, has been mixed. Privacy advocates have been critical of it, especially the sections that support self-regulation, but other groups and government officials have commended the Department for taking on a tough issue. For its part, the Department said it plans to incorporate the feedback into its final report, to be released later this year.
NEW COMMITTEE TO CARRY THE PRIVACY FLAG
It’s also worth mentioning that in late October, the National Science and Technology Council launched a Subcommittee on Privacy and Internet Policy. Chaired by Cameron Kerry, general counsel of the Commerce Department, and Christopher Schroeder, assistant U.S. attorney general, the subcommittee’s job is to monitor global privacy-policy challenges and to address how to meet those challenges.
The charter [PDF file] says the subcommittee will do three things: 1) it will produce a white paper on information privacy in the digital age, building on the work of the FTC and the Commerce Department; 2) it will develop a set of general principles that define a regulatory framework for Internet privacy, one that would apply in the U.S. and globally; and 3) it will coordinate White House statements on privacy and Internet policy, striking a balance between the expectations of consumers and the needs of industry and law enforcement.
Online privacy is on the government’s brain, no doubt, but it’s hard to say what effect, if any, the reports will have. They strike a chord with privacy advocates concerned about the way companies use the information that consumers reveal about themselves. They show sensitivity to the needs of both consumers and businesses. And they don’t contain, possibly with the exception of the “do not track” mechanism, any kind of poison pill that would make the reports in their entirety look undesirable to major stakeholders.
Still, many companies already do what the reports recommend, and many of the recommendations to a great degree reflect existing law. So it’s fair to wonder how much would change even if lawmakers used the reports to draft legislation. Lots of macro-micro questions remain unanswered, too.
Would all types of businesses be subject to the new framework? What about one that collects only non-sensitive consumer data? How long would businesses be required to retain consumer data? Is there a principled way to come up with a time period? Should companies be allowed to charge a fee to consumers for them to access information that the company maintains about them? If so, how much?
That’s just a small sample of the questions that the FTC and Commerce Department need to answer before moving ahead, and they’ve requested help from interested parties. Readers should feel free to weigh in by contacting the agencies directly; otherwise, drop a comment in the box below.
Jonathan Peters is a lawyer and the Frank Martin Fellow at the Missouri School of Journalism, where he’s working on his Ph.D. and specializing in the First Amendment. An award-winning freelancer, he has written on legal issues for a variety of newspapers and magazines. He can be reached at firstname.lastname@example.org.