The FTC put the online advertising and user tracking industry on notice Monday that it’s time to clean up its act and start treating users’ data with respect, laying out broad guidelines for companies to follow. But the agency stopped short of calling for federal regulation of online data collectors, amid protests from online companies that regulation would kill a vibrant industry.
The report adds more weight to the Commerce Department’s own recent report and the White House’s call for an online bill of rights. The FTC’s report (.pdf) outlines broad principles that the FTC wants browser makers, ISPs, online ad companies, search engines and social networks — as well as offline data collecting entities — to pledge to obey.
Companies that do pledge to obey the code, but then fail to uphold them, could then be investigated by the FTC for “unfair business practices,” much as the FTC has fined and penalized companies for violating their own privacy policies (even though there’s no national requirement to publish a privacy policy). That’s how the FTC imposed 20-year privacy audits on both Facebook and Google — using their own privacy policies against them.
“With this Report, the Commission calls on companies to act now to implement best practices to protect consumers’ private information. These best practices include making privacy the “default setting” for commercial data practices and giving consumers greater control over the collection and use of their personal data through simplified choices and increased transparency,” the FTC said, adding that doing so should increase user’s trust in services and increase business for all.
While there’s no stick involved yet for online companies, the report did call for federal legislation that would force transparency on giant data collection companies like Choicepoint and Lexis Nexis. Few Americans know about those companies’ databases but they are used by law enforcement, employers and landlords. The FTC is asking Congress to make it easier for Americans to view and correct their data, as legislation requires with credit bureaus.
The FTC report emphasizes what it calls “privacy by design,” alluding to the idea that privacy and data security should be built into any service, not an afterthought. The four principles called for in the report are data security, reasonable collection limits, sound retention practices, and data accuracy. While the report is new, the principles are based on 40 year princples known as Fair Information Practices.
The FTC did not, however, lay down any hard or fast rules. For instance, data rentention periods are left to companies to decide – so that a mortgage broker can keep payment history information for the life of a mortgage, whereas a mobile app that collects a user’s current location would be encouraged to delete that data much faster.
Instead of prescriptions, the FTC wants a set of self-regulatory groups to build on these principles and issue best practices for various industries, and then have individual companies agree to abide by such rules.
That’s despite the report’s own admission that this model, which has been tried by the FTC since 2000 in regards to online privacy, has been a failure.
Commission agrees that, to date, self-regulation has not gone far enough. In most areas, with the notable exception of efforts surrounding Do Not Track, there has been little self-regulation of the data broker industry. For example, the FTC’s recent survey of mobile apps marketed to children revealed that many of these apps fail to provide any disclosure about the extent to which they collect and share consumers’ personal data. Similarly, efforts to establish self-regulatory rules concerning consumer privacy have fallen short.
These examples illustrate that even in some well-established markets, basic privacy concepts like transparency about the nature of companies’ data practices and meaningful consumer control are absent. This absence erodes consumer trust.
As if to give the rules some more weight, the FTC does say that it is joining the White House and Commerce department’s call for a “baseline” consumer privacy law – though it’s not clear whether there’s any real political will to do so, since setting privacy rules in writing is hard.
Just ask the FTC.
Photo: Alan Cleaver/Flickr