• Categories

  • Archives

    « Home

    In the News: Privacy Lives Files Comments to FTC Urging Stronger Consumer Privacy Protection

    Privacy Lives filed comments (pdf) to the Federal Trade Commission detailing consumer privacy problems and urging the agency to strengthen consumer privacy protections. In September, the FTC announced it will hold public roundtables to “explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data” and requested comments.

    One section of the comments submitted by Privacy Lives focused on the failure of self-regulation by the online marketing industry.

    The  online  marketing  industry  has  pointed  to  new  self-­regulatory  principles, released  in  July, which  the  industry  says  shows  an  effort  to  improve  consumer privacy  protection  by following the  FTC’s  recently  promulgated  self-­regulatory   principles.  However,  for  several  reasons, these industry-imposed  self-regulatory   principles  do  little  to  protect  consumer  privacy.  These problems  unfortunately  show   that  the  FTC’s  self-­regulatory  principles have  not  worked  to convince  the  online   marketing  industry  to  improve  its  consumer  protections,  and  the  FTC needs  to  step   in  to  regulate  the  industry.

    The  only  change  of  note  in  the  industry  self-­regulatory  principles  seems  to  be   an “enhanced notice”  proposal.  “Links  to  consumer  notices  will  be  clear,  prominent,   and  conveniently located,”  for  any  businesses  that  voluntarily  follow  these   principles.  Though  we  support improved  transparency,  this  is  not  enough.  The   online  marketing  industry  is  merely providing  an  easier  way  for  consumers  to  reach   long  and  difficult-­to-understand  notices. Unless  the  notices  are  easier  to  understand,   it  will  not  matter  if  there  are  larger  links  to them  on  Web  sites.  Before  any  consumer   data  is  collected,  the  users  need  to  be  candidly informed  about  the  process  –  how   their  profile  is  created;  how  their  profile  evolves  as more  personal  data  is  collected;   how  tracking  and  data  gathering  occurs  site  to  site;  and what  data  can  be  added  to   their  profile  from  outside  databases.

    Another  failure  of  the  industry  self-­‐regulatory  principles  is  its  narrow   definition  of “sensitive  data.”  The  principles  ask  industry  members  not  to  collect   “sensitive  data,”  which the  industry  construes  as  (1)  “personal  information”  of   children  under  age  13  and  (2) “financial  account  numbers,  Social  Security  numbers,   pharmaceutical  prescriptions,  or medical  records  about  a  specific  individual.”  The   principles  do  allow  for  the  collection  and use  of  the  second  category  –  health  and   financial  data  –  if  a  user  consents  to  the collection  and  use.  This  would  permit   widespread  data  collection  involving  personal information  regarding  our  health  and   financial  concerns  based  on  consent  that  is  gathered via  complicated  privacy  notices   and  the  user  consent  is  most  likely  to  be  unknowing  or confused.

    The  final  and  most  important  point  where  the  industry’s  self-­‐regulatory   principles  fails  is enforcement.  There  is  no  enforcement  provision.  Non-compliance   merely  results  in  “public reporting”  of  non-­compliance.  Companies  could  ignore   the  principles  wholesale  without facing  meaningful  penalties.  Clearly,  the  industry’s   new  self-­regulatory  principles  are  merely for  public  relations,  rather  than  consumer   protection.

    For more on consumer privacy, see a legislative primer and overview, submitted by advocacy groups (including Pivacy Lives) to Congress in September, which detailed recommended solutions for and informing the public and government officials of important gaps in consumer privacy protection.

    Leave a Reply