Privacy Lives filed comments (pdf) to the Federal Trade Commission detailing consumer privacy problems and urging the agency to strengthen consumer privacy protections. In September, the FTC announced it will hold public roundtables to “explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data” and requested comments.
One section of the comments submitted by Privacy Lives focused on the failure of self-regulation by the online marketing industry.
The online marketing industry has pointed to new self-regulatory principles, released in July, which the industry says shows an effort to improve consumer privacy protection by following the FTC’s recently promulgated self-regulatory principles. However, for several reasons, these industry-imposed self-regulatory principles do little to protect consumer privacy. These problems unfortunately show that the FTC’s self-regulatory principles have not worked to convince the online marketing industry to improve its consumer protections, and the FTC needs to step in to regulate the industry.
The only change of note in the industry self-regulatory principles seems to be an “enhanced notice” proposal. “Links to consumer notices will be clear, prominent, and conveniently located,” for any businesses that voluntarily follow these principles. Though we support improved transparency, this is not enough. The online marketing industry is merely providing an easier way for consumers to reach long and difficult-to-understand notices. Unless the notices are easier to understand, it will not matter if there are larger links to them on Web sites. Before any consumer data is collected, the users need to be candidly informed about the process – how their profile is created; how their profile evolves as more personal data is collected; how tracking and data gathering occurs site to site; and what data can be added to their profile from outside databases.
Another failure of the industry self-‐regulatory principles is its narrow definition of “sensitive data.” The principles ask industry members not to collect “sensitive data,” which the industry construes as (1) “personal information” of children under age 13 and (2) “financial account numbers, Social Security numbers, pharmaceutical prescriptions, or medical records about a specific individual.” The principles do allow for the collection and use of the second category – health and financial data – if a user consents to the collection and use. This would permit widespread data collection involving personal information regarding our health and financial concerns based on consent that is gathered via complicated privacy notices and the user consent is most likely to be unknowing or confused.
The final and most important point where the industry’s self-‐regulatory principles fails is enforcement. There is no enforcement provision. Non-compliance merely results in “public reporting” of non-compliance. Companies could ignore the principles wholesale without facing meaningful penalties. Clearly, the industry’s new self-regulatory principles are merely for public relations, rather than consumer protection.
For more on consumer privacy, see a legislative primer and overview, submitted by advocacy groups (including Pivacy Lives) to Congress in September, which detailed recommended solutions for and informing the public and government officials of important gaps in consumer privacy protection.