MIT Technology Review has an interview with David Vladeck, head of the Federal Trade Commission’s Bureau of Consumer Protection, and the topics include consumer privacy, data protection, and FTC enforcement:
The job of the U.S. Federal Trade Commission is to protect consumers from deceptive and unfair business practices. And lately, “deceptive and unfair” has started to sound like a good description of the treatment consumers find on the Internet.
Social networks and advertisers collect huge amounts of information as people surf the Web. Yet few consumers understand—or even read—the complex privacy agreements they sign on to. What’s more, some Internet firms flat-out ignore them as well. […]
The commission has been acting tough [with recent fines against data brokers like Spokeo and investigations into Google and Facebook]. But its authority is fundamentally limited. It works from laws—like the 1970 Fair Credit Reporting Act—that were passed before advertisers could track what we browse online and before smart phones could pinpoint our locations. The FTC thinks broader new consumer protections are needed. […]
TR: What are the risks to consumers online?
Vladeck: There are several. We’ve seen a migration of traditional frauds to the Internet. In the last 18 months alone, we’ve shut down three Internet scams that bilked consumers out of nearly one billion dollars. Another is privacy. The FTC wants to ensure that consumers have control over their personal information and have easy, effective, and persistent ways to exercise that control. Third, we worry about malicious attacks—malware, spyware, spam—that threaten to impair the usefulness and safety of the Internet. […]
You arrived at the FTC wanting to change its approach to privacy. What was the problem?
Our privacy framework developed principally prior to the advent of the Internet. That started to fray already as the Internet became a principal means of communication. Companies would develop privacy policies. They would be hard to find on the Internet. They were written by lawyers like me who use privacy policies not only to talk about how data would be used and collected, but also to disclaim liability and to address every jot and tittle the company might want to address.
When I got here, I think there was a shared sense that the paradigm that had served in a paper world was not translating very well to a more digital world. We’ve been trying to change that paradigm to depend less heavily on incomprehensible privacy notices and to give consumers control over their data.
Is that why the FTC has called on Congress to pass new privacy laws?
We’ve requested congressional action in two spheres. One is in data security. Part of privacy is keeping data secure. We see, time and again, companies holding onto really sensitive information and not taking reasonable precautions to protect that data. We want Congress to give us the authority to impose civil penalties on companies that don’t respect their obligation to safeguard consumer information. Most recently, we’ve urged Congress to enact baseline privacy legislation. We can push basic privacy protections through public education, policy making, and enforcement. But baseline privacy legislation would give us a broader tool. It would also do a better job leveling the playing field so that companies that respect privacy are not disadvantaged in the marketplace.